Solved: Why do we use this is in the search ?

innoce · ‎02-11-2022

Hello,

Here's my search:

index="blah" sourcetype="blah" severity="*" dis_name IN ("*") "*" AND NOT 1=0 | rest of the query

Why do they use AND NOT 1=0 here? Even without this the results are same. I just want to know why do they use this.

Any help would be appreciated!

Thankyou

yuanliu · ‎02-12-2022

Let me speculate😉. This is perhaps from a dashboard that opens like such

index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$

1=0 is assigned to exclude_tok as a catchall.

View solution in original post

PickleRick · ‎02-11-2022

There's not much point in this condition. Where did you get that?

And 'dis_name IN ("*")' can be simply written as dis_name=*.

yuanliu · ‎02-12-2022

Let me speculate😉. This is perhaps from a dashboard that opens like such

index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$

1=0 is assigned to exclude_tok as a catchall.

PickleRick · ‎02-12-2022

Makes perfect sense. 🙂

Why do we use this is in the search ?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Why do we use this is in the search ?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!