Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ignoring extracted value

sumitnagal
Path Finder
‎09-04-2011 10:45 AM

I want to ignore certain search results from by search. Now one way is below where I can filter the extracted value, which I am using currently. This is not the great solution though, as I already have around 6-7 filter in search command. Now adding more will create a big problem for me. as every time i need to add using new pipe.

some search string | eval puserid = mvfilter(puserid != 211930670 ) | eval puserid = mvfilter(puserid != 212327191 ) | eval puserid = mvfilter(puserid != 211896322 ) | eval puserid = mvfilter(puserid != 212327208 | stats

somehow this is working fine, till I come to another use case where I need to ignore these values on daily basis. Now I have created n searches and on top of that a Dashboard. going modifying one by one is time consuming. Also, that is not viable solution. I am looking for a solution, where I can pass information which can be ignored from extracted results and I need not to modify my searches.

Tags (3)
Reply

sumitnagal
Path Finder
‎09-07-2011 07:26 AM

I have used lookup which has solved the problem, but now everytime I need to update lookup.csv file. Currently I am deleting existing lookup file and uploading new lookup file with values.

0 Karma
Reply

sumitnagal
Path Finder
‎09-06-2011 06:36 AM

the only problem is I am getting puserid from a search string, hence I am thinking of using like this way

some search string |rex field=_raw " (?[^ ]) (?[A-Za-z]) (?[^ ]) (?[^ ]) " | eval puserid = mvfilter(puserid != 211930670 ) | eval puserid = mvfilter(puserid != 212327191 ) | eval puserid = mvfilter(puserid != 211896322 ) | eval puserid = mvfilter(puserid != 212327208 | stats

let me know, if there are better ways to do so.

Also, in your suggestion every time I need to add puserid, which I want to ignore in my use case.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎09-04-2011 11:58 AM

I'm not sure I understand why your are using eval as such, as it is suboptimal. As a rule of thumb, filtering should be performed before the first pipe symbol.

some search string NOT puserid=211930670 NOT puserid=212327191 ... | stats ...

A more efficient solution would be to use a lookup or eventtypes and tags to manage the list of puserid that you want to exclude.

Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...