Splunk Search

where operation with multiple search criteria + regex

HattrickNZ
Motivator

This is my search

index=X ....| 
search column!="T*" column!="I*" column!="m*" column!="l*" column!="d*"           

What is the shortest way to write the search part. I was hoping to use regex (e.g. search column!="[TlmId*")but that does not seem to work. Can anyone advise of a less verbose way of writing this?

Tags (2)
0 Karma

woodcock
Esteemed Legend

Use regex instead of search, like this:

| regex column!="^[TImld]"
0 Karma

DalJeanis
Legend

Try this -

| where NOT match(column,"^[TImId]")

match looks for any subset of the field, so you use an anchor ^ to lock it to the beginning, and you don't have to worry about the *. You do have to close the square bracket to complete the specification of what kind of characters will match.

0 Karma

tmarlette
Motivator

regex very well may be a better option here, but I can't see enough of your search to tell you how effective it would be

can you copy your whole search query and anonymize whatever is necessary?

for instance

index=myIndex sourcetype=mySourcetype  host=myHost | stats count by host username logingId
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...