Splunk Search

where operation with multiple search criteria + regex

HattrickNZ
Motivator

This is my search

index=X ....| 
search column!="T*" column!="I*" column!="m*" column!="l*" column!="d*"           

What is the shortest way to write the search part. I was hoping to use regex (e.g. search column!="[TlmId*")but that does not seem to work. Can anyone advise of a less verbose way of writing this?

Tags (2)
0 Karma

woodcock
Esteemed Legend

Use regex instead of search, like this:

| regex column!="^[TImld]"
0 Karma

DalJeanis
Legend

Try this -

| where NOT match(column,"^[TImId]")

match looks for any subset of the field, so you use an anchor ^ to lock it to the beginning, and you don't have to worry about the *. You do have to close the square bracket to complete the specification of what kind of characters will match.

0 Karma

tmarlette
Motivator

regex very well may be a better option here, but I can't see enough of your search to tell you how effective it would be

can you copy your whole search query and anonymize whatever is necessary?

for instance

index=myIndex sourcetype=mySourcetype  host=myHost | stats count by host username logingId
0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...