Splunk Search

Why searching for a string with comparison operator "!=" returns the same source file name as "="?

jBoynton
Engager

Hello:

I have a single source file that contains a string of interest.

When I run this query I get a single correct answer:

sourcetype=*** _raw = "*WARNING UPS AUTO VOLT REG ON*" earliest="-2w" latest = "now" | dedup source | table source

"Correct answer" meaning the file name ("source" field) that contains the "WARNING UPS AUTO VOLT REG ON" text string.

But when I negate the search query (" _raw !=" instead of "_raw ="😞

sourcetype=*** _raw != "*WARNING UPS AUTO VOLT REG ON*" earliest="-2w" latest = "now" | dedup source | table source

I get a list of files that include the file that does have the string of interest. I'm confused as to how can the same source file appear as both containing and not containing the string of interest.

It's probably something simple I'm overlooking, suggestions welcome. Thanks.

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Consider this example

File 1
event 1:   My name is somesh
event2:    I live in Charlotte

File 2
event 1:  This is somesh again
event 2:  I moved to Atlanta now.

File 3
event 1:  Don't know who wrote this
event 2:  Don't care where he lives.

If I search this

index=blah "*somesh* | stats count by source | table source

It will match event1 from File1 and File 2 and thus will return File1 and File2 in result.

If I search this

index=blah NOT "*somesh* | stats count by source | table source

it will still match event 2 from File1 and File2 (they don't have the word searched) and both events from File3 thus returning File1, File2 and File3 in the result.

If you want to list source in which "None of the events contain" the word you're searching try this

sourcetype=*** NOT [search  sourcetype=*** "*WARNING UPS AUTO VOLT REG ON*" earliest="-2w" latest = "now" | stats count by source | table source]  earliest="-2w" latest = "now" | stats count by source | table source

You're basically (in subsearch) getting list of sources which contain the word and then excluding them ("NOT [subsearch result]".

View solution in original post

kristian_kolb
Ultra Champion

As an addition , you should be aware of a few things:

1) NOT isn't the same as !=. Consider the following statements

NOT bob - will drop all events containing the string 'bob'. Simple.

NOT user=bob - will drop all events where the field 'user' has the value 'bob'. Does not have to contain the literal string.

NOT "user=bob" - will drop all events matching the whole string. Will keep events where 'user' gets the value 'bob' from some other type of field extraction.

user != bob - will only return events that contain the field 'user', and where the value isn't 'bob'. So events that don't have a 'user' field at all will also be dropped..

2) asterisks cannot be escaped in the search langauge, it will be parsed as a wildcard char. Unless you're looking for strings like "BIGWARNING UPS AUTO VOLT REG ONTOP", just leave them out.

3) searching for _raw != "*BLAH BLEH*" is probably not as good as NOT "BLAH BLEH"

/K

somesoni2
SplunkTrust
SplunkTrust

Consider this example

File 1
event 1:   My name is somesh
event2:    I live in Charlotte

File 2
event 1:  This is somesh again
event 2:  I moved to Atlanta now.

File 3
event 1:  Don't know who wrote this
event 2:  Don't care where he lives.

If I search this

index=blah "*somesh* | stats count by source | table source

It will match event1 from File1 and File 2 and thus will return File1 and File2 in result.

If I search this

index=blah NOT "*somesh* | stats count by source | table source

it will still match event 2 from File1 and File2 (they don't have the word searched) and both events from File3 thus returning File1, File2 and File3 in the result.

If you want to list source in which "None of the events contain" the word you're searching try this

sourcetype=*** NOT [search  sourcetype=*** "*WARNING UPS AUTO VOLT REG ON*" earliest="-2w" latest = "now" | stats count by source | table source]  earliest="-2w" latest = "now" | stats count by source | table source

You're basically (in subsearch) getting list of sources which contain the word and then excluding them ("NOT [subsearch result]".

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...