First, I am completely new to Splunk and the extent of my expertise with the query language is dumb wildcard matching and boolean combinations. I'm more than happy to learn more, but you're going to have to explain it assuming minimal knowledge. More than happy to rtfm, if someone could point me to the part of the manual I should be reading (all of it is not a good answer).
So actual question:
I want to exclude all events where one of the fields contains a substring of the following form: "string-one":"string-two", where string-one and string-two are particular strings of interest. So for example I'd like to match
field: blah blah blah "foo":"bar"
But not
field: blah blah blah "string-one":"string-two"
As an additional note, this is only one filter in a long list of conditions in the query
I've tried a simple :
Field NOT ("*\string-one\":\"string-two\"*")
But it isn't working as I expect
There's an extra escape character in your search string. Try Field NOT ("*string-one\":\"string-two\"*")
or Field NOT ('*string-one":"string-two"*')
. If those fail, try ... | where NOT like(field, '%string-one":"string-two"%') | ...
.