peaceamit
Reputation: 121
How to ignore a specific sub-string from Splunk query
Need some help to generate appropriate Spunk query. I am searching for this but could not come up with a solution.
Currently, I want to ignore all error alerts that are generated for logs with only ev31=error; term. If we use NOT ev31=error; in search query, it also removes results with valid error terms. So the current query will fail in case log contains both error and ev31=error; terms resulting in incorrect results.
Can anyone suggest a example query, where we can ignore ev31=error; term altogether but keep logs with error term.
Upvotes: 11
Views: 32512
Answers (1)
Shakeel
Reputation: 1059
Try including the string you want to ignore in quotes, so your search might look something like index=myIndex NOT "ev31=error"
Upvotes: 16
Related Questions
- Exclude string from matched result in regex
- How to exclude a particular string from set of server logs
- Get rid of characters between two characters in Splunk
- Match a word, but ignore occurences in certain phrases
- Splunk subsearch for regex outputs
- regex:how to specify and end of the capture
- Regex to extract two values from single string in Splunk
- RegEx in Splunk Search
- Negative regex in splunk (not using fields)
- A regex with Splunk