Splunk Search

Why do we use this is in the search ?

innoce
Path Finder

Hello,

Here's my search:

 

index="blah" sourcetype="blah" severity="*" dis_name IN ("*") "*" AND NOT 1=0 | rest of the query

 

Why do they use AND NOT 1=0 here?  Even without this the results are same. I just want to know why do they use this. 

Any help would be appreciated!

Thankyou

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Let me speculate😉.  This is perhaps from a dashboard that opens like such

index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$

1=0 is assigned to exclude_tok as a catchall.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

There's not much point in this condition. Where did you get that?

And 'dis_name IN ("*")' can be simply written as dis_name=*.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Let me speculate😉.  This is perhaps from a dashboard that opens like such

index="blah" sourcetype="blah" severity="$severity_tok$" dis_name IN ("$dis_name_tok$") "$freetext_tok$" AND NOT $exclude_tok$

1=0 is assigned to exclude_tok as a catchall.

PickleRick
SplunkTrust
SplunkTrust

Makes perfect sense. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...