- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
innoce
Path Finder
02-11-2022
11:27 PM
Hello,
Here's my search:
index="blah" sourcetype="blah" severity="*" dis_name IN ("*") "*" AND NOT 1=0 | rest of the query
Why do they use AND NOT 1=0 here? Even without this the results are same. I just want to know why do they use this.
Any help would be appreciated!
Thankyou
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
02-12-2022
12:08 PM
Let me speculate😉. This is perhaps from a dashboard that opens like such
index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$
1=0 is assigned to exclude_tok as a catchall.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PickleRick
SplunkTrust
02-11-2022
11:35 PM
There's not much point in this condition. Where did you get that?
And 'dis_name IN ("*")' can be simply written as dis_name=*.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
02-12-2022
12:08 PM
Let me speculate😉. This is perhaps from a dashboard that opens like such
index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$
1=0 is assigned to exclude_tok as a catchall.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PickleRick
SplunkTrust
02-12-2022
12:12 PM
Makes perfect sense. 🙂