Hi guys
Im doing a correlation search where Im looking for hostnames and filtering for events I dont want. eg.
sourcetype=dhcplogs where dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4* .....
Is there a more efficient way of grouping multiple OR operators together? Would this help with search processing, or just tidier to read.
Cheers
Wish Granted!!! In Splunk 6.6 -
Search command supports IN operator
sourcetype=xyz status IN (100, 102, 103)
Eval and where commands support in function
| where in(status,"222","333","444","555")
This test will ALWAYS be true...
dest!=Prefix1* OR dest!=Prefix2*
...because...
Prefix1PlusSomeStuff is not equal to Prefix2*, so it meets the second criteria.
Prefix2PlusSomeStuff is not equal to Prefix1*, so it meets the first criteria.
...so, that should be coded in either of the following ways...
NOT ( dest=Prefix1* OR dest=Prefix2*)
...or...
(dest!=Prefix1* AND dest!=Prefix2*)
Hello!
No, there is not another way to do it. And you don't have to put the where clause. just type your search like this:
sourcetype=dhcplogs (dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4)
Thanks
Ive also tried
replace prefix1* with prefix1 in dest| replace prefix2* with prefix* in dest | where dest!=prefix1 OR dest!=prefix2
however that has 0 results. Im thinking Splunk is not treating prefix1* as a wildcard but a string?
Any more advice is most welcome.
Cheers
No. There was an error in my query. That is what to write.
replace prefix1* with prefix1 in dest| replace prefix2* with prefix2 in dest | where dest!=prefix1 OR dest!=prefix2
And, If prefix1* is a string in your events, means, you are not trying to match any caracter, just write
...| where dest!="prefix1*" OR dest!="prefix2*"
Thanks
Thanks stephanefotso,
I'm using this in a new correlation search using guided mode. Im at the filter stage of the search creation wizard and have put:
dest!=Prefix1* OR dest!=Prefix2*
yet there is an error below that says
" ! Search does not parse"
I've used the network sessions datamodel and specified the search time.
How would I know what "Application Context" to use for each correlation search?
Thanks for your help
I also specified DHCP as part of the network session data model..
If you are at the filter stage, i thing, you must use the where clause. But the problem is that, the star() can not works with the where clause. Means `|where dest!=Prefix1 `is an error.
try:
...|replace Prefix1* with Prefix1 in dest|replace Prefix2* with Prefix2 in dest|where dest!=Prefix1 OR dest!=Prefix2