Search and filter by fieldname

OldManEd · ‎12-13-2013

I have a simple search query that is collecting data from XML. The search query is below;

sourcetype=someSourceType userid success* | rex \"FIELDA>(?<myfield>\[^\\<\]+)\"

And it gives me a bunch of data. And that's OK except my result set should not include anything where "myfield='123abc'".

Can someone tell me how to accomplish this task.
(I'm really new to Splunk.)

The input data looks like this;

<log>
    <FIELDA>111aaa</FIELDA>
</log>
<log>
    <FIELDA>123abc</FIELDA>
</log>
<log>
    <FIELDA>222bbb</FIELDA>
</log>

OldManEd · ‎12-13-2013

Ayn,

Thanks but I tried that and it didn't work for some reason. But that's OK. I just came up with another solution. I added this to the query;

sourcetype=someSourceType userid success* NOT ("<FIELDA>123abc")  | rex \"FIELDA>(?<myfield>\[^\\<\]+)\"

And that seemed to work just fine.

Thanks for your suggestion.

jtrucks · ‎12-13-2013

I think there was some miscommunication. I suspect Ayn is suggesting doing:

sourcetype=someSourceType userid success* | rex \"FIELDA>(?[^\<]+)\" | search NOT myfield=123abc

Which will work.

--
Jesse Trucks
Minister of Magic

Ayn · ‎12-13-2013

If you're new to Splunk I'd advise you to look into why the other solution didn't work - not that the alternative solution isn't fine, just that the solution I provided should work just fine if you're extracting the field correctly.

Ayn · ‎12-13-2013

Add at the end:

... | search NOT myfield=...

Search and filter by fieldname

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!