Ok, I think we have it figured out now . . . It looks like the issue is that both search attempts are predicated on the existence of the tag you "don't want". The LISPY/Search Inspect shows the following for these: Search:   index="nameofourindex" test NOT tag="tagthatdoesntexistinsplunk"     Result:    info: The specified search will not match any events warn: Unable to find tag "tagthatdoesntexistinsplunk"     Search:   index="nameofourindex" test tag!="tagthatdoesntexistinsplunk"​   Result:    info: The specified search will not match any events warn: Unable to find tag "tagthatdoesntexistinsplunk"     Your other suggestions work, but I believe this would require that all events have at least one tag:   index="nameofourindex" test tag=* NOT tag=snooze OR index="nameofourindex" test tag=* tag!=snooze     Finally, I tried the following and this seems to do the trick. (However, does this mean the "NOT tag=tagthatdoesntexistinsplunk" isn't working as it should in that it should also include events with no tag at all in the search results?)   index="nameofourindex" test (tag=* NOT tag="tagthatdoesntexistinsplunk") OR (NOT tag=*)     Thanks again for all the help Rich, I was hoping this would be a layup question but it proved a little more tricky than I thought. I appreciate your time! Splunk_a_tron ... View more

When I run that it shows me that I have a total of 4 tags (which was to be expected), with 10 of 12 events having a tag of snooze. Should it have also enumerated the counts of the other 3 tags (because it did). so: tag count error 8 log 8 snooze 10 test 10   ... View more

Yup, you got it Rich. This is all correct and the search really is just the index and "test". Then if you change the last example to: index="nameofourindex" test NOT tag="tagthatdoesntexistinsplunk"   the search returns "No Results" (instead of what I/we believe should be 12). I also just tested this with event types that I created, to see if I could use that instead, and the same behavior occurs. If I attempt to search for all events that are not a given eventype (but that event type doesn't exist in splunk) I also get "no results". ... View more

Thanks Rich, I checked and the tags do indeed appear to be fields as they show up on the left-hand side with all the other fields. I also tried to see if it was how I was adding the tags and I tried via selecting a given field in search and adding the label as well as creating an event type and assign those events a label but the behavior stays the same. I might try this on other index and see if I still have the same issue. ... View more

Hi Rich, This is where my newness will likely shine, but when you say "category of event" do you just mean examples of the different types of events in the index that I am searching? If so, the following are some examples: Currently we have an index where we are sending custom formatted events via a python script based on calculated data form Corvil logs. We also sent in some test events, all of which include the word "test" somewhere in the event. The base search I am using to try and test the tags is simply 'index="nameofourindex" test. This returns approx. a dozen events that look like either of the following (note: event #1 has two fields that are pipe separated, whereas event#2 just has a string of "test log" in the raw text): Event Example 1: Time (date/Time) :  Event (Text=Monitoring Log Test| Type=LOG4) Event Example 2: Time (date/Time) :  test log The rest of the events in the index are the Corvil data events that have Time (date/Time) and then approx.  16 or so pipe separated fields. I selected events within the 12 that contain the word "test" and added the "snooze" label to those with "Type=LOG4", "Type=LOG5", etc. so that all the "test" events have a "snooze" label with the exception of those two that just have "test log" as raw text, which have no labels. If I add NOT tag=snooze then I only get the two events that have "test" but not a "snooze" label (so that works) If I change this to NOT tag=foo (where foo is not a currently used tag) I get zero results (when I would think I should get all 12 events that have "test" Apologies if my explanation is confusing or I am not providing the info you need, I appreciate your help and patience. ... View more

Hi Rich, Thanks for such a quick response! I actually tried both previously and get the same results with each: 1) 'NOT tag="sooze"'      -  This returns the correct results if at least one event has a tag of "snooze", but returns no results if no events have a tag of "snooze" 2) 'tag!="sooze"'      -  This returns the correct results if at least one event has a tag of "snooze", but returns no results if no events have a tag of "snooze" I agree that based on what I researched that I thought #1 above would have worked, but I got the same result with both so I reverted back to #2 in my original question. Any other thoughts as to why #1 may not be working? ... View more