Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to exclude several patterns by IN functio...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cheriemilk
Path Finder
04-07-2021
10:30 PM
Hi team,
I have below sample events in splunk.
2021-04-09 07:12:41,323 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.1CMID=shangThai CMN="shanghai"
2021-04-08 07:12:41,323 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.1CMID=shanghai CMN="shanghai"
2021-04-08 07:11:57,929 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=shanghaiT1 CMN="shanghai"
2021-04-08 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=chengdu CMN="chengdu"
2021-04-08 07:11:53,871 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=chengduT3 CMN="chengdu"
2021-04-08 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=city CMN="city"
2021-04-08 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=beijing CMN="beijing"
2021-04-09 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=Tbeijing CMN="beijing"
2021-04-08 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=shenyang CMN="shengyang"
2021-04-08 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=shenyangD CMN="shengyang"
In the base query, I want to filter out below events with CMID value match below patterns:
1) *T
2) *T#: # is a wildcard stands for a number.
3) *D
4) *D#: # is a wildcard stands for a number.
and i am trying to filter them out by IN function, but failed.
NOT CMID IN ("*T", "*T#", " *D", "*D#" )
Questions: how to achieve this by IN function?
Thanks,
Cherie
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
04-08-2021
12:03 AM
hi @cheriemilk,
Filtering on *T# and *D# is not possible in IN function as fields as it only supports asterisk ( * ) character as a wildcard in field values. You can use the where command with the match function.
https://docs.splunk.com/Documentation/Splunk/latest/Search/Wildcards
index=index NOT CMID IN("*T", "*D") | where NOT match(CMID, "(T|D)\d+$")
If this reply helps you, a like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
04-08-2021
12:03 AM
hi @cheriemilk,
Filtering on *T# and *D# is not possible in IN function as fields as it only supports asterisk ( * ) character as a wildcard in field values. You can use the where command with the match function.
https://docs.splunk.com/Documentation/Splunk/latest/Search/Wildcards
index=index NOT CMID IN("*T", "*D") | where NOT match(CMID, "(T|D)\d+$")
If this reply helps you, a like would be appreciated.
Get Updates on the Splunk Community!
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
