How would I exclude all events which contain a specific field value from a set of search results?
For instance:
source="mysource" | sort -_time | table UserLoginName _time | dedup UserLoginName
Gives me a table of usernames and last login time.
I'd like to filter out one of the users (say, SYSTEM) from the results...
You could simply add the search term "UserLoginName!=SYSTEM" or "NOT UserLoginName=SYSTEM" to the first command of your search :
source="mysource" UserLoginName!="SYSTEM" | sort -_time | table UserLoginName _time | dedup UserLoginName
If you are curious to find out more about the search language and its syntax, I recommend to consult our search tutorial :
http://www.splunk.com/base/Documentation/latest/User/WelcometotheSplunktutorial