Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What's the difference between NOT and != ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears to us that NOT and != are different. It seems that != <val> implies that <val> is not empty. Is it right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings @danielbb,
You are correct. Take a look at these run-anywhere searches to demonstrate:
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search field1=*
Displays row where id=2
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search field1!="Something 2"
Displays nothing because id=1 has field1=null() and id=2 has field1 equal to the != filter
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search NOT(field1="Something 2")
Displays row where id=1 because even though field1 is null, it is still not equal to "Something 2"
Cheers,
Jacob
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings @danielbb,
You are correct. Take a look at these run-anywhere searches to demonstrate:
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search field1=*
Displays row where id=2
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search field1!="Something 2"
Displays nothing because id=1 has field1=null() and id=2 has field1 equal to the != filter
| makeresults | eval id="1", field1=null() , field2="Something 1"
| append [ | makeresults | eval id="2", field1="Something 2", field2="Something 3" ]
| search NOT(field1="Something 2")
Displays row where id=1 because even though field1 is null, it is still not equal to "Something 2"
Cheers,
Jacob
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very kind of you @jacobevans.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NOT inverts the value of the following boolean expression in a search. It does not compare any values. Thus, it is an unary boolean operator.
!= is a binary operator that compares the values of the expressions before and after the !=
Example:
("Foo" != "Bar") will return true because "Foo" is not like "Bar"
NOT ("Foo" != "Bar") will return the opposite of true: false
A splunk search like index=* "Foo" "Bar"is being parsed as index=* "Foo" AND "Bar" thus, if you type index=* "Foo" NOT "Bar" it will be interpreted as index=* "Foo" AND NOT "Bar" returning all events that contain "Foo" but not "Bar"
Hope it helps, Oliver
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Customer success is front and center at .conf25
