Exclude events with specific field value from resu... - Splunk Community

Getting Data In

How would I exclude all events which contain a specific field value from a set of search results?

For instance:
source="mysource" | sort -_time | table UserLoginName _time | dedup UserLoginName

Gives me a table of usernames and last login time.

I'd like to filter out one of the users (say, SYSTEM) from the results...

You could simply add the search term "UserLoginName!=SYSTEM" or "NOT UserLoginName=SYSTEM" to the first command of your search :



source="mysource" UserLoginName!="SYSTEM" | sort -_time | table UserLoginName _time | dedup UserLoginName

If you are curious to find out more about the search language and its syntax, I recommend to consult our search tutorial :

http://www.splunk.com/base/Documentation/latest/User/WelcometotheSplunktutorial

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Thursday, July 9, 2026 | 11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...