search correction with NOT

aniketb · ‎09-18-2013

I have an alert setup. It is like

"ABC-* NOT ("ABC-1" OR "ABC-2")

"ABC-1", "ABC-2" being stuff I have taken care of.

My result is like:

ABC-
ABC-3
ABC-4
ABC-5

I want to remove that "ABC-".

The problem is, if I add it as NOT to the search, I see no results. Like in

"ABC-* NOT ("ABC-" OR "ABC-1" OR "ABC-2")

I get 0 results. How to do that correctly?

lguinn2 · ‎09-18-2013

Try this

"abc-* NOT ("abc-1" OR "abc-2" OR TERM("abc-"))

You can read more about TERM here

lguinn2 · ‎09-19-2013

You can't use regex as the search, although you could run a search and then apply the regex command to it as @yannK did...

lukejadamec · ‎09-18-2013

Thanks for the new term... er tool.
Why not just use
regex _raw="ABC-\d"
as the search and then NOT whateverelse?

yannK · ‎09-18-2013

The ABC-* is very generic.

if you have a space after ABC-
"ABC-* NOT ("ABC-1" OR "ABC-2" OR "ABC- ")

otherwise, you can add a second regex filter after to keep only ABC-

"ABC-* NOT ("ABC-1" OR "ABC-2") | regex _raw="ABC-\d"

yannK · ‎09-18-2013

It works, the events with a non matching rex field "errorname" will have a null value for errorname, and should not appear in your stats by errorname.

aniketb · ‎09-18-2013

I do pass this to a regex because this is an error code. Your regex doesn't gel well with mine. My complete search string is

"ABC-" NOT ("ABC-1" OR "ABC-2") | rex "(?ABC-[0-9])" | stats count by ErrorName | sort-count

Also there's no space after "ABC-"

search correction with NOT

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?