How to exclude a hyphen "-" field value from my se...

dineshp · ‎04-06-2015

When running this search:

index=syslog | stats count by UserAgent

it gives me - and a whole bunch of other User Agents. Some of the logs do not have User Agent, so they have - instead. I just want to exclude this from the result.

I tried:

index=syslog UserAgent!="-" | stats count by UserAgent
index=syslog UserAgent!=- | stats count by UserAgent
index=syslog NOT UserAgent=- | stats count by UserAgent
index=syslog NOT UserAgent="-" | stats count by UserAgent

No luck. Any help will be appreciated, thank you.

masonmorales · ‎06-16-2015

What about this?

index=syslog | eval NullUserAgent=if(like(UserAgent, "-"), "True", "False")  | search NullUserAgent="False" | stats count by UserAgent

Or:

index=syslog | rex field=UserAgent "^(?P<NullUserAgent>\-)$" | search NOT NullUserAgent | stats count by UserAgent

masonmorales · ‎04-07-2015

In your results, if you hold the ALT key, and click on the "-" in the UserAgent column, does the drill-down search properly exclude it? If it does, copy the syntax that Splunk used to exclude it into your original search.

rsennett_splunk · ‎04-07-2015

Oh... Very good idea!

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

autolycus · ‎06-16-2015

No dice...it filters out everything...

masonmorales · ‎04-07-2015

If this worked, please choose "Accept Answer"

dineshp · ‎04-07-2015

Naa.. That didnt work. when i press "Alt" and its came up as NOT - .
This resulted lesser search result.

rsennett_splunk · ‎04-07-2015

What version of Splunk are you using? If it's current... clicking on the hyphen when you just list out the data should give you a popup with the option to list the events filtered by what you're clicking on. That should show you what Splunk is seeing...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

dineshp · ‎04-07-2015

I believe we are running 5.x There are no popups :'(

markthompson · ‎04-08-2015

You've already said that when you did alt and clicked on it, splunk appended NOT - to your search, emulate that and put it in your original search

base search NOT - | ...

Let us know the outcome

rsennett_splunk · ‎04-06-2015

All of those are correct if the value of the UserAgent field is indeed sometimes a hyphen.
So this suggests you've got to check yourself for assumptions.
...|stats count by UserAgent|sort UserAgent
does that show you the hyphen up at or near the top of the list?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

dineshp · ‎04-06-2015

I know what you are saying, when i run .....|stats count by UserAgent|sort UserAgent
"-" is always on the top with highest number of count.

rsennett_splunk · ‎04-06-2015

okidoke... now you have to start doubting your eyes... try "*-*" maybe there are control characters in there? maybe post a couple of events with your question. perhaps there's something off that another pair of eyeballs will see.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

dineshp · ‎04-07-2015

This works, but i think its excluding something else as well.. Not just the UserAgent field.

rsennett_splunk · ‎04-07-2015

show us a data sample please.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

How to exclude a hyphen "-" field value from my search results?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!