Solved: excluding a search result

moayadalghamdi · ‎02-03-2021

Hello Splunkers !

i have a problem here, that we're running an infra structure change and for that im getting duplicated logs

im running a search that show bytes count for users on proxy, but because of the double logs i get two usernames instead of on so for that the users column is empty

look at the image below please:

we can see the username is duplicated, its the same user, but the old user has "d1$" more than the name.

please help me to eliminate the old user name and only fit the one in the search.

ive tried this: user!=*d1$* but the table still misses the users in columns

manjunathmeti · ‎02-03-2021

hi @moayadalghamdi,

Use replace to replace "d1$" in user value.

index=Proxy user!="-" action="allowed" user=* | eval user=replace(user, "d1\$", "") | stats sum(bytes) as GB by src_ip, user | eval GB=GB/1024/1024/1024

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

manjunathmeti · ‎02-03-2021

hi @moayadalghamdi,

Use replace to replace "d1$" in user value.

index=Proxy user!="-" action="allowed" user=* | eval user=replace(user, "d1\$", "") | stats sum(bytes) as GB by src_ip, user | eval GB=GB/1024/1024/1024

If this reply helps you, an upvote/like would be appreciated.

moayadalghamdi · ‎02-03-2021

Awesome !, Thanks !

excluding a search result

fields

metadata

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation