Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why am I unable to filter COMMAND twice?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I am trying to setup a search that logs ufw commands, while ignoring any ufw status commands. I have tried a number of methods so far but cannot get the COMMAND field to filter appropriately.
Here is a version of the search:
```
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw"
| table _time host user _raw
| where COMMAND!="*/usr/sbin/ufw status*"
```
I've tried a number of things including trying NOT instead of !, searching for various strings (status, *status*, etc.), filtering on the _raw field instead of COMMAND, using search instead of where, putting the table after the where, etc.
I cannot get the events to filter out. It seems like I either get all the events or none of the events depending on the filter I choose.
Any help here?
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your suggestions!
Turns out the field never exists in a parsed state. This query solved the issue for me.
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" ufw
| rex field=_raw "COMMAND=(?<ufw_path>\/usr\/sbin\/ufw )(?<ufw_command>.*)"
| where ufw_command!="status"
| table _time host user _raw ufw_path ufw_command- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Why am I unable to filter COMMAND twice?"
The reason why you can't filter the COMMAND at the end is because that field no longer exists after being dropped when you specified "| table _time host user _raw".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm an idiot for not spotting that and have modified by answer accordingly.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your suggestions!
Turns out the field never exists in a parsed state. This query solved the issue for me.
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" ufw
| rex field=_raw "COMMAND=(?<ufw_path>\/usr\/sbin\/ufw )(?<ufw_command>.*)"
| where ufw_command!="status"
| table _time host user _raw ufw_path ufw_command- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The where command does not support wildcards. You must use the match or like function or the search command.
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| search COMMAND!="*/usr/sbin/ufw status*"index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| where NOT match(COMMAND, "\/usr\/sbin\/ufw status")index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| where NOT like(COMMAND, "%/usr/sbin/ufw status%")
If this reply helps you, Karma would be appreciated.
Data Management Digest – November 2025
Splunk Mobile: Your Brand-New Home Screen
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
