Solved: How do I not show the value I do not want?

mplungjan · ‎10-10-2013

For an apache access log file with an extra field I have created a field extraction myfield - it works great.

I then want to extract all rows where this field is not equal to "-"

So I make a search

myfield !="-" | top limit=10000 myfield

And I still see "-" in the table

I even tried

myfield !="-" | top limit=10000 myfield | where myfield != "-"

Nope - still there. Since the vast majority of record have "-", all the rest have tiny colums.

What am I doing wrong and where in the documentation does it tell me what I had to do.

It is a bit like the useother=0

mplungjan · ‎10-11-2013

Solved!

The extract included the quotes.

myfield!="\"-\""

works!

View solution in original post

mplungjan · ‎10-11-2013

Solved!

The extract included the quotes.

myfield!="\"-\""

works!

mplungjan · ‎10-11-2013

No difference. See update

hRun · ‎10-11-2013

myfield may contain a blank infront of or after the "-", have you tried myfield!="- ", myfield!=" -" or myfield!="*-*", etc.

gfuente · ‎10-11-2013

Have you tried this?

search NOT myfield="-" |....

Regards

Ayn · ‎10-11-2013

In that case all your events have a "myfield" with the value "-". Either that, or you're issuing the search incorrectly. Note that you should not be including the actual "search" word if this is the first command in the search pipeline.

mplungjan · ‎10-11-2013

No results at all

How do I not show the value I do not want?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!