Splunk Cloud

Search Manual

Download manual as PDF

Download topic as PDF

Difference between NOT and !=

When you want to exclude results from your search you can use the NOT operator or the != field expression. However there is a significant difference in the results that are returned from these two methods.

Suppose you have the following fields:

  • fieldA
  • fieldB
  • fieldC

Each of these fields has 3 different values. For example fieldA has value1, value2, and value3.

Searching with !=

If you search for fieldB!=value3, the search returns only those values for fieldB that are not value3:

  • fieldB=value1, fieldB=value2

If fieldB does not exist, nothing is returned.

Searching with NOT

If you search for NOT fieldB=value3, the search returns everything except fieldB=value3:

  • fieldA=value1, fieldA=value2, fieldA=value3
  • fieldB=value1, fieldB=value2
  • fieldC=value1, fieldC=value2, fieldC=value3

If fieldB does not exist, NOT fieldB=value3 returns:

  • fieldA=value1, fieldA=value2, fieldA=value3
  • fieldC=value1, fieldC=value2, fieldC=value3
Field expressions
Use CASE() and TERM() to match phrases

This documentation applies to the following versions of Splunk Cloud: 7.0.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3, 6.5.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters