Splunk Search

where operation with multiple search criteria + regex

HattrickNZ
Motivator

This is my search

index=X ....| 
search column!="T*" column!="I*" column!="m*" column!="l*" column!="d*"           

What is the shortest way to write the search part. I was hoping to use regex (e.g. search column!="[TlmId*")but that does not seem to work. Can anyone advise of a less verbose way of writing this?

Tags (2)
0 Karma

woodcock
Esteemed Legend

Use regex instead of search, like this:

| regex column!="^[TImld]"
0 Karma

DalJeanis
Legend

Try this -

| where NOT match(column,"^[TImId]")

match looks for any subset of the field, so you use an anchor ^ to lock it to the beginning, and you don't have to worry about the *. You do have to close the square bracket to complete the specification of what kind of characters will match.

0 Karma

tmarlette
Motivator

regex very well may be a better option here, but I can't see enough of your search to tell you how effective it would be

can you copy your whole search query and anonymize whatever is necessary?

for instance

index=myIndex sourcetype=mySourcetype  host=myHost | stats count by host username logingId
0 Karma
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...