It appears to us that NOT
and !=
are different. It seems that != <val>
implies that <val>
is not empty. Is it right?
Greetings @danielbb,
You are correct. Take a look at these run-anywhere searches to demonstrate:
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search field1=*
Displays row where id=2
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search field1!="Something 2"
Displays nothing because id=1 has field1=null() and id=2 has field1 equal to the != filter
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search NOT(field1="Something 2")
Displays row where id=1 because even though field1 is null, it is still not equal to "Something 2"
Cheers,
Jacob
Greetings @danielbb,
You are correct. Take a look at these run-anywhere searches to demonstrate:
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search field1=*
Displays row where id=2
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search field1!="Something 2"
Displays nothing because id=1 has field1=null() and id=2 has field1 equal to the != filter
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search NOT(field1="Something 2")
Displays row where id=1 because even though field1 is null, it is still not equal to "Something 2"
Cheers,
Jacob
Very kind of you @jacobevans.
NOT inverts the value of the following boolean expression in a search. It does not compare any values. Thus, it is an unary boolean operator.
!= is a binary operator that compares the values of the expressions before and after the !=
Example:
("Foo" != "Bar") will return true because "Foo" is not like "Bar"
NOT ("Foo" != "Bar") will return the opposite of true: false
A splunk search like index=* "Foo" "Bar"
is being parsed as index=* "Foo" AND "Bar"
thus, if you type index=* "Foo" NOT "Bar"
it will be interpreted as index=* "Foo" AND NOT "Bar"
returning all events that contain "Foo" but not "Bar"
Hope it helps, Oliver