Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

search correction with NOT

aniketb
Path Finder
‎09-18-2013 11:14 AM

I have an alert setup. It is like

"ABC-* NOT ("ABC-1" OR "ABC-2")

"ABC-1", "ABC-2" being stuff I have taken care of.

My result is like:

ABC-
ABC-3
ABC-4
ABC-5

I want to remove that "ABC-".

The problem is, if I add it as NOT to the search, I see no results. Like in

"ABC-* NOT ("ABC-" OR "ABC-1" OR "ABC-2")

I get 0 results. How to do that correctly?

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎09-18-2013 05:05 PM

Try this

"abc-* NOT ("abc-1" OR "abc-2" OR TERM("abc-"))

You can read more about TERM here

0 Karma
Reply

lguinn2
Legend
‎09-19-2013 10:50 PM

You can't use regex as the search, although you could run a search and then apply the regex command to it as @yannK did...

0 Karma
Reply

lukejadamec
Super Champion
‎09-18-2013 06:06 PM

Thanks for the new term... er tool.
Why not just use
regex _raw="ABC-\d"
as the search and then NOT whateverelse?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-18-2013 11:18 AM

The ABC-* is very generic.

if you have a space after ABC-
"ABC-* NOT ("ABC-1" OR "ABC-2" OR "ABC- ")

otherwise, you can add a second regex filter after to keep only ABC-

"ABC-* NOT ("ABC-1" OR "ABC-2") | regex _raw="ABC-\d"

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-18-2013 01:10 PM

It works, the events with a non matching rex field "errorname" will have a null value for errorname, and should not appear in your stats by errorname.

0 Karma
Reply

aniketb
Path Finder
‎09-18-2013 11:40 AM

I do pass this to a regex because this is an error code. Your regex doesn't gel well with mine. My complete search string is

"ABC-" NOT ("ABC-1" OR "ABC-2") | rex "(?ABC-[0-9])" | stats count by ErrorName | sort-count

Also there's no space after "ABC-"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...