Splunk interesting field exclusion

Question

i have 4 fields (Name , age, class, subject) in one index (Student_Entry) and i want to add total events but i want to exclude those events who has any value in subject field.

I tried the below two ways

index=Student_Entry   Subject !=* | stats count by event
index=Student_Entry   NOT Subject= * | stats count by event

RichG · Answer 1 · 2020-06-15T13:08:20.850

2

The NOT and != operators are similar, but not equivalent. NOT will return events with no value in the Subject field, whereas != will not. In your case, use !=. See https://docs.splunk.com/Documentation/Splunk/8.0.4/Search/NOTexpressions

stats count by event does nothing because there is no field called 'event'. To count events, just use stats count.

edited Jun 15 '20 at 13:08

answered Jun 15 '20 at 11:28

RichG

9,063
2
18
29

score 0 · Answer 2 · answered Jun 15 '20 at 08:29

0

It looks like you were right using index=Student_Entry Subject !=*

Then you can add only - | stats count

answered Jun 15 '20 at 08:29

Gil Kor

314
1
2
9

the `!=` is *NOT* equivalent to `NOT` in SPL – warren Jun 15 '20 at 14:40
Yes, Supriya was asking to not count events that have nothing in "subject". If I were to use NOT it will still be showing the events that have nothing in "subject". – Gil Kor Jun 16 '20 at 07:56
1

You need to use `NOT subject=*` vs `subject!=*` :) – warren Jun 16 '20 at 13:28

score 0 · Answer 3 · answered Jun 15 '20 at 14:39

0

You can do it this way, too:

index=Student_Entry
| where isnull(subject)
| stats count

answered Jun 15 '20 at 14:39

warren

32,620
21
85
124

Splunk interesting field exclusion

3 Answers3