How to find all the events that do not match a pattern in Splunk?

Question

I am trying to find all the events that do not match a specific string in Splunk. In my case I am trying to build a report for all the events where ResponseCode:401, ResponseCode:404 etc. I short it could be anything but 200.

But not sure how to do so.

Here are some sample events.

Events:

DNS:www.mybonuscenter.com Host:10.94.64.74 RequestMS:2414 EventTime:[06/Aug/2018:14:06:57 -0400] Request:"GET /bizrateapp/app.bundle.dd46e01d637d8dbcc456.js HTTP/1.1" ResponseCode:200 Size:414360

DNS:www.mybonuscenter.com Host:10.94.64.74 RequestMS:168 EventTime:[06/Aug/2018:14:11:50 -0400] Request:"GET /favicon.ico HTTP/1.1" ResponseCode:404 Size:209

Search Head Command using regex:

index="my_cw_index" | regex (?:[^ResponseCode\:200]*)

Output

Error in 'SearchParser': Missing a search command before '^'. Error at position '39' of search query 'search index="syn_prod_cw" | regex (?:[^ResponseCo'.

Answer 1

Have you tried something without a regular expression, like this ?

index="my_cw_index" AND NOT "ResponseCode:200"

From what I see, this is the easiest way to filter queries by elements that does not contain "ResponseCode:200".

If you want to extract the code parameter to use it later, you would need a regular expression :

index="my_cw_index" | rex field=_raw "ResponseCode:(?<code>([\w]+))" | where code != 200

Note : the regular expression I used has not been tested.