Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: props.conf w/ Regex ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf w/ Regex ?
is it possible to exclude specific results in a field from the search in the props.conf? I suppose more specifically on the backend?
Currently I am using a series of regex statements to exclude some values such as:
< mysearch > | regex < field1 >!= < value > | regex < field1 >!= < value >
is there a better way to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what you mean, really.
With props/transforms you can filter out events so they never get indexed. You can also set up search time field extractions and field aliases, for example.
However, you can't filter out search results the way your search example describes.
Also, why use | regex field != value ? Unless you have some pattern matching to do, you could stick it before the first pipe as field != value or use | search field != value. But perhaps these are newly eval'ed fields of a complicated nature.
Perhaps if you provide some sample events you'd be able to get better help.
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's OK... I just used the regex statements to filter out all of the unwanted events in the search itself. It doesn't seem like there is a way to do it in props / transforms.conf
Thank you !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, if you just want to ensure that the user_agent is not null, I guess you could search for;
sourcetype=www user_agent=*
This will only return events that contain the field user_agent, and where it has a non-null value. Of course you can add more fields like referer=* or clientip=*
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess that hck is an extracted field. Post a few events, and describe which ones you want to filter out of the search results, and why (i.e. on what criteria)
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried to use your suggestion of
field!=value however it is not taking. I assume my syntax is wrong. this ONLY returns the results that I don't want to see.
This is my search string:
sourcetype=www source=< mysource > hck!=health hck!=Health
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case i'm looking in web logs. Some of the fields periodically (such as useragent) end up with a null value because of internal machine queries. this throws off some our analytics.
I have to keep the events, simply because they are web events, and the values change. not everything that connects to our web environment has a null value for the useragent field.
I'm looking to see if there is a way that I can simply exclude the 'null' results on the back end, as opposed to doing it in the search query?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
