- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Exclude Hosts In A Saved Search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a saved search that is looking at the % disk space free on each drive over a number of window server. There are three servers that are showing over a certain threshold. Is there anyway to add in an exlude syntax in the saved search to not report on these three servers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to expand on your question, do you wish to only exclude these drives if it reaches a certain threshold? Or do you mean you simply want to exclude these drives from the start?
If it is the latter, you could just add something like "NOT host=<drive name>" (if you are using the drive as the host)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to expand on your question, do you wish to only exclude these drives if it reaches a certain threshold? Or do you mean you simply want to exclude these drives from the start?
If it is the latter, you could just add something like "NOT host=<drive name>" (if you are using the drive as the host)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have done a field extraction on the instance, and you just want to exclude all events from that drive, you could also include a...
- NOT instance=E: |
(for example).
If not you could do something like...
- | rex field=_raw "instance=\s*(?
\w*):"
However this should be done by default (except it will include the ":"), and then add pipe to a search...
- | rex field=_raw "instance=\s*(?
\w*):" | search NOT INSTANCE=E |
But this could be a little inefficient, preferably you would want to extract the field using IFX.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you done a field extraction for the "instance" field?
Do you mean... you would like to exclude events similar to this (i.e. those from drive E)? Or you want to exclude the drive instance just from the results?
Can you include your saved search in this thread please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, many thanks for your reply. The NOT host is working but I would like to exclude the host name along with drive letter (instance) for each server
Below is what I see in Splunk when I run my % disk space free query:
11/28/2011 14:54:20.073
collection="Free Disk Space E"
object=LogicalDisk
counter="% Free Space"
instance=E:
Value=45.903129070366219
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
