Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter values to remove attributes from a table?

gmartinv
New Member
‎05-18-2020 03:42 PM

Hello Splunkers,

I appended two different searches within Splunk. Then I created a table, and now I need to filter the values of the Terminated_List attribute that do not contain the string Terminated. I am using the following search, but the final where is not working properly:

index=employees [search index=employees source="*_Terminated_Employee_*" | stats latest(source) AS source] | dedup Email_Address | fields Email_Address Terminated_List |eval e_Mail=tostring(upper(Email_Address)) | eval Terminated_List="Terminated Employees"

| append [search index=employees [search index=employees source="*Terminated IT Contractor*" | stats latest(source) AS source] | dedup Email | fields Email Terminated_List |eval e_Mail=tostring(upper(Email)) | eval Terminated_List="Terminated Contractors"] 

| table e_Mail Terminated_List | where Terminated_List!="*Terminated*"

Any ideas or suggestions??

Thank you!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2020 04:28 PM

Unlike search, where does not use * as a wildcard character - it's a literal. You can use where NOT match(Terminated_List, ".*Terminated.*"), but it's simpler to use search "*Terminated*".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2020 04:28 PM

Unlike search, where does not use * as a wildcard character - it's a literal. You can use where NOT match(Terminated_List, ".*Terminated.*"), but it's simpler to use search "*Terminated*".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

gmartinv
New Member
‎05-19-2020 07:31 AM

Hi there,

Thank you for your response. A have a few questions:

  • The MATCH function is working as expected. However, why do we need to add "." before the "*"?
  • The SEARCH function is not working. I get "No results found"...do you know why?

Thank you again.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2020 05:36 AM

match uses regular expressions. In regular expressions, .* means any character, any number of times.
I don't know why search isn't working.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...