Splunk Search

Splunk search to remove entries where one value exists in another value

ccastrapel
New Member

Hi,

I have a working search right now that returns user and host. I am wondering how to remove results where the value of "user" exists in the value of "host". For example, if user="bob" and host="bob-linux", the entire entry would be removed. However, if user="ted" and host="bob-linux", the entry would remain. Is something like this possible through regex? I've searched, but I must not be hitting the right terminology because I'm coming up empty.

Thanks,
Curtis

Tags (1)
0 Karma

Ayn
Legend
... | where !match(host,user)
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...