How to ignore a specific sub-string from Splunk query

regex splunk
peaceamit picture peaceamit · Jun 19, 2014 · Viewed 23.1k times · Source

Need some help to generate appropriate Spunk query. I am searching for this but could not come up with a solution.

Currently, I want to ignore all error alerts that are generated for logs with only ev31=error; term. If we use NOT ev31=error; in search query, it also removes results with valid error terms. So the current query will fail in case log contains both error and ev31=error; terms resulting in incorrect results.

Can anyone suggest a example query, where we can ignore ev31=error; term altogether but keep logs with error term.

Answer

Shakeel picture Shakeel · Jun 21, 2014

Try including the string you want to ignore in quotes, so your search might look something like index=myIndex NOT "ev31=error"

Related questions

What does (?i) and ?@ in this regex mean

In the following regex what does "(?i)" and "?@" mean? (?i)<.*?@(?P<domain>\w+\.\w+)(?=>) I know that "?" means zero or one and that i sets case insensitivity. This regex captures domains from an email address in …

Read More
Need to extract and re-format with RegEx

I'm using Splunk to parse some logs that have our "hub" and "comp" IDs embedded in them, down in the body of the message. I need to use a field extraction RegEx to pull them out in the form: HHHH-CCCC …

Read More
Regular expression to match a line that doesn't contain a word

I know it's possible to match a word and then reverse the matches using other tools (e.g. grep -v). However, is it possible to match lines that do not contain a specific word, e.g. hede, using a regular …

Read More