Reputation: 2716
Splunk query to filter results
I have some code deployed on 1 out of my 6 servers. I need a splunk query that pulls data from the other 5 hosts. Something like - All except this 1 host. I know the host option in splunk to look for the host's logs, but I have no idea how to do all except 1. Can someone please assist me?
The one box I am talking about has my latest code changes, and the other 5 have my old code. So I want to write a query to do a before vs after analysis.
Upvotes: 0
Views: 5792
Answers (2)
Reputation: 111
Looks like you have your answer, but I use an alternative method that speeds things up for me.
Within your search results, you can quickly eliminate what you want to filter out by ALT-clicking on a value in a selected field. In your case, it would add NOT host="1" to your query and immediately update your results.
I find this particularly helpful when I'm in the preliminary stage of investigating an issue, and don't have enough information to know exactly where to look first. It makes it easy to rapidly eliminate what you don't need.
*Note: This may still be broken in Splunk 6, not sure if the bug has been fixed yet: http://answers.splunk.com/answers/109473/alt-click-not-working-selected-fields
Upvotes: 1
Reputation: 2716
Okay, I got the answer to my question. Just use !=. So if I want the results for all my hosts except host 1, all I do is - index=blah host!="1"
Upvotes: 0
Related Questions
- Filtering splunk results using results of another splunk query
- Extract data from splunk
- Splunk filter one search by another
- Splunk conditional search
- splunk query based on log stdout
- How to do compound query with where clause in Splunk?
- Searching for a particular kind of field in Splunk
- Splunk queries: filter by _meta fields
- Splunk query filter out based on other event in same index
- Splunk query based on the results of another query