Solved: How to ignore internal indexes when searching?

splunkreal · ‎09-23-2016

Hello,

| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title | where not like(title,"_%")

returns empty result.

However the where clause works if I don't use underscore.

My aim is to ignore internal indexes.

Thanks for your help.

* If this helps, please upvote or accept solution 🙂 *

dmaislin_splunk · ‎09-23-2016

| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title | search title!="_*"

View solution in original post

dmaislin_splunk · ‎09-23-2016

| rest /services/data/indexes-extended | eval bd_home_event_min_time=strftime('bucket_dirs.home.event_min_time',"%d/%m/%Y") | eval bd_home_event_max_time=strftime('bucket_dirs.home.event_max_time',"%d/%m/%Y") | eval bd_cold_event_min_time=strftime('bucket_dirs.cold.event_min_time',"%d/%m/%Y") | eval bd_cold_event_max_time=strftime('bucket_dirs.cold.event_max_time',"%d/%m/%Y") | table title,bd_home_event_min_time,bd_home_event_max_time,bd_cold_event_min_time,bd_cold_event_max_time,splunk_server | sort title | search title!="_*"

splunkreal · ‎09-23-2016

Thanks!

By the way what is the difference between * and % (to use wildcard) ?

* If this helps, please upvote or accept solution 🙂 *

sduchene_splunk · ‎01-19-2017

and % are 2 different things : % are used for date formatting, see https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Commontimeformatvariables

% is not a wildcard.
for wildcard see : https://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Wildcards

How to ignore internal indexes when searching?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor