- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: difference between NOT and !=
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi fellow Splunkers,
I just fell over the difference between "NOT src_ip=1.2.3.4" and "src_ip!=1.2.3.4" in a basesearch. Can someone explain what the difference is and why?
What I did was to use this statement in a basesearch, filtering out this single IP. What happens is:
- "src_ip!=1.2.3.4": Filters out this single IP and all events with src_ip being null
- "NOT src_ip=1.2.3.4": Filters out this single IP, leaves all events with null src_ip standing
I know that "NOT src_ip=*" is the best way to search for empy or null occurences of src_ip. But I figure I should understand what is happening under the hood as well.
Thanks for the enlightenment.
Olli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"fieldname!=value" expect only matches events where the does field exist. NOT does not and matches also events where the field does not exist.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"fieldname!=value" expect only matches events where the does field exist. NOT does not and matches also events where the field does not exist.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
from the splunk search manual...
Difference between NOT and !=
When you want to exclude results from your search you can use the NOT
operator or the != field expression. However there is a significant difference in the
results that are returned from these two methods.
Suppose you have the following fields:
· fieldA
· fieldB
· fieldC
Each of these fields has 3 values, for example fieldA has value1, value2, and
value3.
If you search for fieldB!=value3, the search returns only those values for
fieldB that are not value3:
· fieldB=value1, fieldB=value2
If fieldB does not exist, nothing is returned.
If you search for NOT fieldB=value3, the search returns everything except
fieldB=value3:
· fieldA=value1, fieldA=value2, fieldA=value3
· fieldB=value1, fieldB=value2
· fieldC=value1, fieldC=value2, fieldC=3
If fieldB does not exist, NOT fieldB=value3 returns:
· fieldA=value1, fieldA=value2, fieldA=value3
· fieldC=value1, fieldC=value2, fieldC=3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thinking about it, I would assume that "src_ip!=" needs a fieldvalue to compare with. Probably a "check this fieldvalue, remove the match". So if no fieldvalue is there, the the clause cannot come back being positive, because it cannot be checked.
Whereas "NOT src_ip" negates the clause. Which is negative when either this wanted value exists or when the field cannot be checked. So on both occurences it comes back negative, negated again gives a positive.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
