Reputation: 8816
Splunk query not endswith
I am just into learning of Splunk queries, I'm trying to grab a data from myfile.csv file based on the regex expression.
In particular, I'm looking forward, print only the rows where column fqdn not endswith udc.net and htc.com.
Below is my query which is working but i'm writing it twice.
| inputlookup myfile.csv
| regex support_group="^mygroup-Linux$"
| regex u_sec_dom="^Normal Secure$"
| regex fqdn!=".*?udc.net$"
| regex fqdn!=".*?htc.com$"
| where match(fqdn,".")
I am trying them to combine with | separeted but not working though...
| regex fqdn!="(.*?udc.net | ".*?htc.com)$"
Upvotes: 0
Views: 2200
Answers (2)
Reputation: 33455
You can do this with a search and where clause:
| inputlookup myfile.csv
| search support_group="mygroup-Linux" u_sec_dom="Normal Secure"
| where !match(fqdn,"udc.net$") AND !match(fqdn,"htc.com$")
Or just a single search clause:
| inputlookup myfile.csv
| search support_group="mygroup-Linux" u_sec_dom="Normal Secure" NOT (fqdn IN("*udc.net","*htc.com")
You can also rewrite the IN() thusly:
(fqdn="*udc.net" OR fqdn="*htc.com")
Upvotes: 2
Reputation: 9926
The combined regex will work if you omit the spaces on either side of the |. The extra spaces become part of the regex and prevent matches.
There's no need for the final where command. Splunk by default will display all events that match ..
Upvotes: 1
Related Questions
- Not able to match the regex
- REGEX not working- Filter the Splunk results
- Splunk: How to use multiple regular expressions in one query?
- Splunk: Escaping "<" ">" from the dashboard's source code
- Getting Error as "Regex: syntax error in subpattern name (missing terminator)." in SPLUNK
- Splunk not recognizing regex
- regex operator in Splunk is not working to match results
- Splunk subsearch for regex outputs
- RegEx in Splunk Search
- Splunk regex query returning no results