Splunk Search

Why do we use this is in the search ?

innoce
Path Finder

Hello,

Here's my search:

 

index="blah" sourcetype="blah" severity="*" dis_name IN ("*") "*" AND NOT 1=0 | rest of the query

 

Why do they use AND NOT 1=0 here?  Even without this the results are same. I just want to know why do they use this. 

Any help would be appreciated!

Thankyou

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Let me speculate😉.  This is perhaps from a dashboard that opens like such

index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$

1=0 is assigned to exclude_tok as a catchall.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

There's not much point in this condition. Where did you get that?

And 'dis_name IN ("*")' can be simply written as dis_name=*.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Let me speculate😉.  This is perhaps from a dashboard that opens like such

index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$

1=0 is assigned to exclude_tok as a catchall.

PickleRick
SplunkTrust
SplunkTrust

Makes perfect sense. 🙂

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...