How to search syntax to exclude dhost or URL

trojan_81 · ‎11-26-2019

New to Splunk here. Trying to run a search for user BLAHBLAH that does NOT contain dhost of api.drift.com
Would someone help me with the search? index=*

My search below but does not seem to be working:

index=* "BLAHBLAH" sourcetype=* dhost!="api.drift"

Raw syslog below:

Nov 26 16:40:26 QHLSTLS11 mwg: status="426/0" srcip="10.99.99.50" user="BLAHLBAH" dhost="presence.api.drift.com" urlp="443" proto="HTTPS/https" mtd="GET" urlc="Business" rep="0" mt="application/x-empty" mlwr="-" app="-" bytes="782/780/201/196" ua="Chrome77-10.0" lat="0/0/71/97" rule="Last Rule" url="https://presence.api.drift.com/ws/websocket?session_token=SFMyNTY.43QAAAACZAAEZGF0YXQAAAAFZAACaWRtAAAAEzEwMzg5Ny00MTE0MTAzMjM0LTRkAAZvcmdfaWRiAAGV2WQACXNjb3BlX3NldGwAAAABbQAAAARsZWFkamQbB3VzZXJfaWRuBADCOzj1ZAAJdXNlcl90eXBlZAAEbGVhZGQABnNpZ25lZG4GAE8ol55uAQ.7-xbZbLOyHODYgRuuNSrIkIupxR3MnYkslNfjSaDMZU&vsn=1.0.0"

sduff_splunk · ‎11-26-2019

index=* user="BLAHBLAH" dhost!="*api.drift*"

How to search syntax to exclude dhost or URL

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms