Splunk Search

How to edit my search to filter out a certain result?

yzimmer
New Member

Hi everybody!

In a Splunk Dashboard, I created a Bar Panel with this:

* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count

That's works fine! But I don't want to have the Property "U8_DOCUMENTTITLE" in my result....

So I have to change that:

stats count(U*) as U*

How can I ask "U* without U8_DOCUMENTTITLE" ?

Thanks to help me 😉

0 Karma
1 Solution

ryanoconnor
Builder

can you exclude anything that that field in your first search term?

 * NOT U8_DOCUMENTTITLE=* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count

Or exclude it in the middle:

 * | stats count(U*) as U* | transpose |search column!=U8_DOCUMENTTITLE |rename column AS Property "row 1" AS Count | SORT -Count

View solution in original post

sundareshr
Legend

Try this

 * | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count | search Property !="U8_DOCUMENTTITLE"
0 Karma

yzimmer
New Member

Hi Sundareshr!

Thanks for your answer, that 's work too, but Ryan was so fast 😉

Have a good day!

0 Karma

ryanoconnor
Builder

can you exclude anything that that field in your first search term?

 * NOT U8_DOCUMENTTITLE=* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count

Or exclude it in the middle:

 * | stats count(U*) as U* | transpose |search column!=U8_DOCUMENTTITLE |rename column AS Property "row 1" AS Count | SORT -Count

yzimmer
New Member

Hi Ryan!
Thanks a lot for your answer!
This code doesn't work:

* NOT U8_DOCUMENTTITLE=*

But this code works perfectly :

search column!=U1708_DOCUMENTTITLE

Thanks for your help!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...