blue-sky
Reputation: 53896
Splunk query for matching lines that do not contain text
To find logging lines that contain "gen-application" I use this search query :
source="general-access.log" "*gen-application*"
How to amend the query such that lines that do not contain "gen-application" are returned ?
source="general-access.log" != "gen-application" returns error :
Error in 'search' command: Unable to parse the search: Comparator '!=' has an invalid term on the left hand side:
Upvotes: 8
Views: 28101
Answers (1)
matthew-e-brown
Reputation: 3087
I would use the NOT operator.
source="general-access.log" NOT "*gen-application"
Keep in mind that Splunk also has support for AND and OR.
Upvotes: 9
Related Questions
- How to exclude a particular string from set of server logs
- Splunk conditional search
- Splunk: Find events that don't have a certain attribute logged as different log lines
- Splunk query to get all counts including events (_raw) where match does not exist
- Splunk query to get non matching ID from two query
- How to find all the events that do not match a pattern in Splunk?
- Checking Splunk logs for one string but not others
- in splunk search How to get all instances that has a field without any value
- How to ignore a specific sub-string from Splunk query
- Splunk query to filter results