Splunk query to find a value outside of certain en...

seetide · ‎07-18-2025

I want to search the "NONE" not in 3 allowed enum value. I need to ignore the "NONE" if it is in the allowed enum. For example, if the "ALLLOWED1" : "NONE" is in the event, but no "NONE" other than that, I do not count it. If "ALLOWED2": "NONE" and "not-allowed": "NONE" in same record, I need this record.
format in my record.
\"ALLOWEDFIELD\": \"NONE\"

I am not sure how should I deal with " and \ in the string for the query.

seetide · ‎07-22-2025

"MESSAGE_PAYLOAD": "{\"applicationIdentifier\": \"a7654718-435f-4765-a324-d2b6d682b964\", \"timestamp\": \"2025-07-22 13:24:29 001\", \"information\": {\"someDetails\": [{\"sourceName\": \"NONE\"}]}

ITWhisperer · ‎07-22-2025

If this is an accurate representation of your data, I agree with @PickleRick it is bad.

You have 3 open braces and 2 close braces. Go back to you developers and ask them to redevelop the application producing these logs so that they are in a more reasonable format to process.

If this is not an accurate representation of your data, please provide something which accurately represents the data you are dealing with so we have a chance at suggesting something which might help you.

PickleRick · ‎07-22-2025

Ok. This is bad. This is ugly.

If all your events look like this you have a completely unnecessary header which just wastes space (and your license) and then you have an escaped payload which you have to unescape to be able to do anything reasonable with.

Get rid of that header, ingest your messages as well-formed json and your life will be much, much easier.

In this form... it's hard to do anything about extracting fields in the first place since it's "kinda structured" data so you can't just handle it with regexes. You could try to unescape it by simple substitution but be aware that depending on your data you might hit some unexpected strings which will not unescape properly. Having unescaped json you can parse it with spath but it will definitely not be a very fast solution.

PrewinThomas · ‎07-21-2025

@seetide

is this what you are trying to achieve?
Ignore events where "NONE" appears only in allowed fields (e.g., ALLOWED1, ALLOWED2, ALLOWED3).
Include events where "NONE" appears in any other field, even if it also appears in allowed fields.

It will be great if you can post with some examples.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

PickleRick · ‎07-19-2025

Your description is not quite clear.

First you're saying about "ALLLOWED1" : "NONE" but then it suddenly turns out to be \"ALLOWEDFIELD\": \"NONE\". Make up your mind.

Additionally, do you have your fields extracted or do you have to dynamically pull the data from raw events?

ITWhisperer · ‎07-18-2025

This looks like it might be JSON data? If so, please post some sample data (anonymised appropriately) in raw format in a code block using the </> option, to preserve the formatting of your event.

Splunk query to find a value outside of certain enum

field extraction

What’s New & Next in Splunk SOAR

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

September Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

Splunk query to find a value outside of certain enum

field extraction

What’s New & Next in Splunk SOAR

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

September Community Champions: A Shoutout to Our Contributors!