Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why am I unable to filter COMMAND twice?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I am trying to setup a search that logs ufw commands, while ignoring any ufw status commands. I have tried a number of methods so far but cannot get the COMMAND field to filter appropriately.
Here is a version of the search:
```
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw"
| table _time host user _raw
| where COMMAND!="*/usr/sbin/ufw status*"
```
I've tried a number of things including trying NOT instead of !, searching for various strings (status, *status*, etc.), filtering on the _raw field instead of COMMAND, using search instead of where, putting the table after the where, etc.
I cannot get the events to filter out. It seems like I either get all the events or none of the events depending on the filter I choose.
Any help here?
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your suggestions!
Turns out the field never exists in a parsed state. This query solved the issue for me.
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" ufw
| rex field=_raw "COMMAND=(?<ufw_path>\/usr\/sbin\/ufw )(?<ufw_command>.*)"
| where ufw_command!="status"
| table _time host user _raw ufw_path ufw_command- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Why am I unable to filter COMMAND twice?"
The reason why you can't filter the COMMAND at the end is because that field no longer exists after being dropped when you specified "| table _time host user _raw".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm an idiot for not spotting that and have modified by answer accordingly.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your suggestions!
Turns out the field never exists in a parsed state. This query solved the issue for me.
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" ufw
| rex field=_raw "COMMAND=(?<ufw_path>\/usr\/sbin\/ufw )(?<ufw_command>.*)"
| where ufw_command!="status"
| table _time host user _raw ufw_path ufw_command- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The where command does not support wildcards. You must use the match or like function or the search command.
index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| search COMMAND!="*/usr/sbin/ufw status*"index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| where NOT match(COMMAND, "\/usr\/sbin\/ufw status")index="*" host="*dev*" source="/var/log/auth.log" process="sudo" COMMAND="/usr/sbin/ufw*"
| table _time host user _raw COMMAND
| where NOT like(COMMAND, "%/usr/sbin/ufw status%")
If this reply helps you, Karma would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
