I have a large list of values for a field that I would like to exclude from my search. Rather than having a huge search with:
field!=value1
field!=value2
field!=value3
...
is there a way to use regex to pull out each value and append field!=
to the front? As far as I can tell, Splunk can only use regex when parsing the entries themselves, not a standalone string.
Thanks!
Are you planning to do something like this (this subsearch will take a stand alon, comma separated string, and format it as an giant OR condition), a sample run anywhere query
index=_internal NOT [| gentimes start=-1 | eval sourcetype="splunk_web_access,splunkd_access,splunk_web_service" | makemv sourcetype delim="," | stats count by sourcetype | table sourcetype | format] | stats count by sourcetype
This will remove all the events belongs to any of the sourcetype from splunk_web_access,splunkd_access,splunk_web_service.
you can use eval to set a variable with the value of your string and then apply anything to it as if it is event data.
Thanks mreynov!
So if I have
eval newField= "field!= value1 field!=value2 field!=value3...."
Would I be able to use rex
or something else to have Splunk exclude those values?
I'm also trying out somesoni2's method.
Are you planning to do something like this (this subsearch will take a stand alon, comma separated string, and format it as an giant OR condition), a sample run anywhere query
index=_internal NOT [| gentimes start=-1 | eval sourcetype="splunk_web_access,splunkd_access,splunk_web_service" | makemv sourcetype delim="," | stats count by sourcetype | table sourcetype | format] | stats count by sourcetype
This will remove all the events belongs to any of the sourcetype from splunk_web_access,splunkd_access,splunk_web_service.
Not quite. Basically, I will have a list in an outside excel/word doc that I would want to copy & paste into a search and exclude those from the results. The plan is to do this in a macro for easier readability and modification when I want to use this list. Would makemv be able to help with that?
Thanks for the quick response!
If you copy past from the Excel/Word table into the search directly, is the values coming with line feed. Something like this...
index=_internal NOT [| gentimes start=-1 | eval sourcetype="splunk_web_access
splunkd_access
splunk_web_service
" | eval sourcetype=replace(sourcetype,"\n",",") | makemv sourcetype delim="," | stats count by sourcetype | table sourcetype] | stats count by sourcetype
If I understand your question, then yes I believe each entry will be on its own line.
So will the format in which I wrote the thing for _internal data, works for your query? Try to run them in search bar first, if works fine, you saved the subsearch as macro and use the macro there
In your new example, it looks like the results still include the three sourcetypes you listed (but I think the original example works right).
I tried using your format with my code but the values I specify still show up in the results.
Ah I stand corrected--I left out the gentimes start=-1
because I thought that was specific to your example!
So after some testing it looks like it does what I want it to do! I basically just used my code with your structure and it works great.
I read up on gentimes but I still have a question: why was it necessary for this query to run correctly?
Thanks again!