Solved: Is there a way to use regex on a standalone string...

jlosee · ‎07-27-2015

I have a large list of values for a field that I would like to exclude from my search. Rather than having a huge search with:

field!=value1
field!=value2
field!=value3
...

is there a way to use regex to pull out each value and append field!= to the front? As far as I can tell, Splunk can only use regex when parsing the entries themselves, not a standalone string.

Thanks!

somesoni2 · ‎07-27-2015

Are you planning to do something like this (this subsearch will take a stand alon, comma separated string, and format it as an giant OR condition), a sample run anywhere query

index=_internal  NOT [| gentimes start=-1 | eval sourcetype="splunk_web_access,splunkd_access,splunk_web_service" | makemv sourcetype delim="," | stats count by sourcetype | table sourcetype | format]  | stats count by sourcetype

This will remove all the events belongs to any of the sourcetype from splunk_web_access,splunkd_access,splunk_web_service.

View solution in original post

mreynov_splunk · ‎07-27-2015

you can use eval to set a variable with the value of your string and then apply anything to it as if it is event data.

jlosee · ‎07-28-2015

Thanks mreynov!

So if I have

eval newField= "field!= value1 field!=value2 field!=value3...."

Would I be able to use rex or something else to have Splunk exclude those values?

I'm also trying out somesoni2's method.

somesoni2 · ‎07-27-2015

Are you planning to do something like this (this subsearch will take a stand alon, comma separated string, and format it as an giant OR condition), a sample run anywhere query

index=_internal  NOT [| gentimes start=-1 | eval sourcetype="splunk_web_access,splunkd_access,splunk_web_service" | makemv sourcetype delim="," | stats count by sourcetype | table sourcetype | format]  | stats count by sourcetype

This will remove all the events belongs to any of the sourcetype from splunk_web_access,splunkd_access,splunk_web_service.

jlosee · ‎07-27-2015

Not quite. Basically, I will have a list in an outside excel/word doc that I would want to copy & paste into a search and exclude those from the results. The plan is to do this in a macro for easier readability and modification when I want to use this list. Would makemv be able to help with that?

Thanks for the quick response!

somesoni2 · ‎07-27-2015

If you copy past from the Excel/Word table into the search directly, is the values coming with line feed. Something like this...

index=_internal NOT [| gentimes start=-1 | eval sourcetype="splunk_web_access
splunkd_access
splunk_web_service
" | eval sourcetype=replace(sourcetype,"\n",",") | makemv sourcetype delim="," | stats count by sourcetype | table sourcetype] | stats count by sourcetype

jlosee · ‎07-28-2015

If I understand your question, then yes I believe each entry will be on its own line.

somesoni2 · ‎07-28-2015

So will the format in which I wrote the thing for _internal data, works for your query? Try to run them in search bar first, if works fine, you saved the subsearch as macro and use the macro there

jlosee · ‎07-28-2015

In your new example, it looks like the results still include the three sourcetypes you listed (but I think the original example works right).

I tried using your format with my code but the values I specify still show up in the results.

jlosee · ‎07-28-2015

Ah I stand corrected--I left out the gentimes start=-1 because I thought that was specific to your example!

So after some testing it looks like it does what I want it to do! I basically just used my code with your structure and it works great.

I read up on gentimes but I still have a question: why was it necessary for this query to run correctly?

Thanks again!

Is there a way to use regex on a standalone string to pull out each value, then append "field!=" to the front to exclude these values from a search?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life