Splunk Search

Why using regex to remove a particular field is not working?

praddasg
Path Finder

I am using the below query and I was able to not get the results which had messages like "Optional.of(The following items are not available for order at this time)" but I found one of the message still appearing "Optional.of(Items quantity is over the maximum quantity)". Not sure if this has anything to do with the regex

REJECTED sourcetype="pos-generic:prod" partner_account_name="Level Up"
| regex message != "item"
| table merchantId, orderId, message
| stats count by merchantId, message

alt text

Tags (1)
0 Karma
1 Solution

vnravikumar
Champion

Hi

Try with following where instead of regex

......| where NOT message like ("%item%") AND NOT message like ("%Item%")|...

View solution in original post

mydog8it
Builder

If you would like to stay with regex I think this will get it for you:

| regex message != "[iI]tem"

vnravikumar
Champion

Hi

Try with following where instead of regex

......| where NOT message like ("%item%") AND NOT message like ("%Item%")|...
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>