Alerting

how to exclude some index results

rhayle
Path Finder

If you want to get all the indexes, do this:
eventcount index=* summarize=false

How do I exclude summary, history and main from my index results?
Thanks

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

This works for me.

| eventcount summarize=false index=* index=_* | search NOT (index=main OR index=summary OR index=history)

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

This works for me.

| eventcount summarize=false index=* index=_* | search NOT (index=main OR index=summary OR index=history)

rhayle
Path Finder

Thanks, this is what I wanted.

| eventcount summarize=false index=* | search NOT (index=main OR index=summary OR index=history)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try 'eventcount index=* summarize=false NOT (index=main OR index=summary OR index=history)'

---
If this reply helps you, Karma would be appreciated.
0 Karma

rhayle
Path Finder

I have try these out as a search and they do not work. Am I missing something?

| eventcount index=* NOT index=main NOT index=history NOT sourcetype=stash summarize=false

| eventcount index=* summarize=false NOT (index=main OR index=summary OR index=history)

0 Karma

yannK
Splunk Employee
Splunk Employee

if you want to search but exclude "exclude summary, history and main"

try
index=* NOT index=main NOT index=history NOT sourcetype=stash

and if you want the internal indexes, add
index=* OR index=_* NOT index=main NOT index=history NOT sourcetype=stash

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...