where operation with multiple search criteria + re...

HattrickNZ · ‎08-17-2017

This is my search

index=X ....| 
search column!="T*" column!="I*" column!="m*" column!="l*" column!="d*"

What is the shortest way to write the search part. I was hoping to use regex (e.g. search column!="[TlmId*")but that does not seem to work. Can anyone advise of a less verbose way of writing this?

woodcock · ‎08-17-2017

Use regex instead of search, like this:

| regex column!="^[TImld]"

DalJeanis · ‎08-17-2017

Try this -

| where NOT match(column,"^[TImId]")

match looks for any subset of the field, so you use an anchor ^ to lock it to the beginning, and you don't have to worry about the *. You do have to close the square bracket to complete the specification of what kind of characters will match.

tmarlette · ‎08-17-2017

regex very well may be a better option here, but I can't see enough of your search to tell you how effective it would be

can you copy your whole search query and anonymize whatever is necessary?

for instance

index=myIndex sourcetype=mySourcetype  host=myHost | stats count by host username logingId

where operation with multiple search criteria + regex

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility

Are you a member of the Splunk Community?

where operation with multiple search criteria + regex

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility