Filtering out strings in Splunk

Question

I have the below query.

index=myindex sourcetype="application:access:log" host=myservers* FullURL="*/ABC"

It works. However, I'd like the output to show all URLs with ABC within them, I just don't want results with ABCD to show in them.

Any idea how I can get that done? I've tried the below but it's failing.

index=myindex sourcetype="application:access:log" host=myservers* FullURL="*/ABC" AND FullURL!="*ABCD*"

index=myindex sourcetype="application:access:log" host=myservers* FullURL="*/ABC" AND NOT FullURL="*ABCD*"

score 0 · Answer 1 · answered Jan 15 '20 at 21:53

0

This query might do the trick :

index=myindex sourcetype="application:access:log" host=myservers* FullURL="*/ABC" | where NOT LIKE (FullURL="%ABCD%")

answered Jan 15 '20 at 21:53

Dexirian

1 Answers1