×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mknezel1
Engager
Member since: ‎09-16-2020
‎09-17-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎09-16-2020
View All

Re: Trying to filter out multivalue rex returns wh...

by in Splunk Search
‎09-17-2020 11:18 AM
‎09-17-2020 11:18 AM
That was part of answer but it got more complex after... lots of zipping excluding and expanding! Thank you for the context and nudge in right direction. ... View more

Trying to filter out multivalue rex returns when t...

by in Splunk Search
‎09-16-2020 03:58 PM
‎09-16-2020 03:58 PM
Hi all,  I have run in to a wall on a query I am attempting. I am receiving an error on my log, and one of the items is there for good reason but my system still picks it up. The error is one long string (mostly) and I have used rex to extract both items as values and place them in a table, but they are gathered by message and I cannot get the system to acknowledge a not statement. Here is what I have: Basic search path | rex field=_raw max_match=0 "(?<Error>TCM-\d{5}).*?rowKey=(?<Value>\w*?),.*?]\)"| where not Value = CASHAMT | Table Error Value I have also tried != as well with little effect. I still get it in the table as one of three items for the days. if I do "CASHAMT" then it shows me no values (presumably because all the errors are in one message?)  I just do not want the error and value to show up on table when value = CASHAMT for that row. Any thoughts on this would be very useful, any further context I can provide as well ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-17-2020 04:34 PM
Karma given to
View All