Splunk Search

Why do we use this is in the search ?

innoce
Path Finder

Hello,

Here's my search:

 

index="blah" sourcetype="blah" severity="*" dis_name IN ("*") "*" AND NOT 1=0 | rest of the query

 

Why do they use AND NOT 1=0 here?  Even without this the results are same. I just want to know why do they use this. 

Any help would be appreciated!

Thankyou

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Let me speculate😉.  This is perhaps from a dashboard that opens like such

index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$

1=0 is assigned to exclude_tok as a catchall.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

There's not much point in this condition. Where did you get that?

And 'dis_name IN ("*")' can be simply written as dis_name=*.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Let me speculate😉.  This is perhaps from a dashboard that opens like such

index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$

1=0 is assigned to exclude_tok as a catchall.

PickleRick
SplunkTrust
SplunkTrust

Makes perfect sense. 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...