- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search for multiple values in field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to omit search results for a field that might have a couple of different values.
any ideas how to best do this? Is EVAL or LIKE the way to go?
Here's some sample data:
computerdisconnected="[bob sbr] [tube tue]"
computerdisconnected="[tube tue]"
condition-
If the computerdisconnected contains any values like "bob or "Tube" then don't return any results.
In other words I am getting regular reminders that these machines are disconnected, I only want NEW results so I want to keep a list of repeat offenders and ignore them.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do all the potential values for computerdisconnected get formatted like that? If so, this might work:
your base search NOT "[bob*" OR "[tube*"
So that's literally whatever you're searching for right now followed immediately by NOT "[bob*" OR "[tube*". The opening square brackets matter, I believe.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do all the potential values for computerdisconnected get formatted like that? If so, this might work:
your base search NOT "[bob*" OR "[tube*"
So that's literally whatever you're searching for right now followed immediately by NOT "[bob*" OR "[tube*". The opening square brackets matter, I believe.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And if my list continues to grow, just keep adding OR statements? OR " " OR "" OR "" ? I can do do this, just thought there was a cleaner way, like anything
LIKE or IN ("bob*,"tube*", "next*")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your list is going to grow, you'd be very smart to follow @niketnilay's advice and set up a lookup table. His search structure will handle the formatting, too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree with @elliotproebstel and to add on I would move such patterns to lookup file
<YourBaseSearch> NOT
[| inputookup <yourLookupFileName>.csv
| eval <yourLookupFiledName>="*".<yourLookupFiledName>."*"
| rename <yourLookupFiledName> as search]
| <yourRemainingSearch>
Following is a sample search based on the data that you have provided (PS: makeresults used instead of inputlookup to mock up the terms to be filtered from search.
<YourBaseSearch> NOT
[| makeresults
| eval lookupData="bob,tube"
| makemv lookupData delim=","
| mvexpand lookupData
| eval lookupData="*".lookupData."*"
| rename lookupData as search]
| <yourRemainingSearch>
| makeresults | eval message= "Happy Splunking!!!"
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
