Splunk Search

Use of NOT operator

lbogle
Contributor

Hello Splunkers,
I'm trying to run a search against some logs that include a wild carded hostname, two error messages but exclude two IP addresses. I have the first parts down but excluding the IP addresses isn't quite working out. What am I doing wrong here? (IP's modified for the post)

host="*-contlr-wl.Domain.COM" error OR fail* admin NOT (123.123.123.123 AND 456.456.456.456)

So I'm getting all reports from contlr-wl machines.
I'm getting all the messages that have either error OR fail* in them
But the two IP addresses are still showing up. How do I exclude those from my search?
Thanks everyone.

Tags (2)
0 Karma
1 Solution

lukejadamec
Super Champion

You are telling the search engine to only exclude the IPs if they both appear in the same event.

Try

NOT "*123.123.123.123*" NOT "*456.456.456.456*"

View solution in original post

lukejadamec
Super Champion

You are telling the search engine to only exclude the IPs if they both appear in the same event.

Try

NOT "*123.123.123.123*" NOT "*456.456.456.456*"

lbogle
Contributor

Awesome! That did it!
Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...