Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Difference between NOT and != Operators

jli001
Explorer
‎06-10-2015 05:18 PM

index="aws-cloudtrail" errorCode!=success returns the results I expect, i.e., events that have error codes other than "success".

index="aws-cloudtrail" NOT errorCode=success returns no results at all.

I understand that the != operator implies that field exists in my data, but that does not explain the behavior I am seeing.

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎06-10-2015 05:20 PM

Try with quotes around "errorCode=success"

View solution in original post

Reply
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎06-10-2015 05:20 PM

Try with quotes around "errorCode=success"

Reply
Solved! Jump to solution

jli001
Explorer
‎06-10-2015 05:35 PM

Ha! That works.

The string "errorCode=success" does not actually exist in the raw data (which is in JSON). errorCode=success is how Splunk's "syntax highlighting" presents the data. I wonder if Splunk is looking for the string errorCode=success literally when I don't have quotes around it.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...