Related Answers
Download topic as PDF
Difference between NOT and !=
When you want to exclude results from your search you can use the NOT operator or the != field expression. However there is a significant difference in the results that are returned from these two methods.
Suppose you have the following events. As you can see, some events have missing values.
| ID | Name | Color | Location |
|---|---|---|---|
| 101M3 | McIntosh | Chestnut | Marin Meadows |
| 104F5 | Lyra | Bay | |
| 104M6 | Rutherford | Dun | Placer Pastures |
| 101F2 | Rarity | Marin Meadows | |
| 102M7 | Dash | Black | Calaveras Farms |
| 102M1 | Roan | ||
| 101F6 | Chestnut | Marin Meadows | |
| 104F4 | Pinkie | Sorrel | Placer Pastures |
| 102M8 | Spike | Grey | Calaveras Farms |
Searching with !=
If you search with the != expression, every event that has a value in the field, where that value does not match the value you specify, is returned. Events that do not have a value in the field are not included in the results.
For example, if you search for Location!="Calaveras Farms", events that do not have Calaveras Farms as the Location are returned. Events that do not have Location value are not included in the results.
source="Ponies.csv" Location!="Calaveras Farms"
| ID | Name | Color | Location |
|---|---|---|---|
| 101M3 | McIntosh | Chestnut | Marin Meadows |
| 104M6 | Rutherford | Dun | Placer Pastures |
| 101F2 | Rarity | Marin Meadows | |
| 101F6 | Chestnut | Marin Meadows | |
| 104F4 | Pinkie | Sorrel | Placer Pastures |
If you search for a Location that does not exist using the != expression, all of the events that have a Location value are returned.
Searching with NOT
If you search with the NOT operator, every event is returned except the events that contain the value you specify. This includes events that do not have a value in the field.
For example, if you search using NOT Location="Calaveras Farms", every event is returned except the events that contain the value "Calaveras Farms". This includes events that do not have a Location value.
source="Ponies.csv" NOT Location="Calaveras Farms"
| ID | Name | Color | Location |
|---|---|---|---|
| 101M3 | McIntosh | Chestnut | Marin Meadows |
| 104F5 | Lyra | Bay | |
| 104M6 | Rutherford | Dun | Placer Pastures |
| 101F2 | Rarity | Marin Meadows | |
| 102M1 | Roan | ||
| 101F6 | Chestnut | Marin Meadows | |
| 104F4 | Pinkie | Sorrel | Placer Pastures |
If you search for a Location that does not exist using NOT operator, all of the events are returned.
Searching with != or NOT is not efficient
Using the != expression or NOT operator to exclude events from your search results is not an efficient method of filtering events. The execution cost for a search is actually less when you explicitly specify the values that you want to include in the search results. For more tips on search optimization, see Quick tips for optimization.
|
PREVIOUS Field expressions |
NEXT Use CASE() and TERM() to match phrases |
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1
Comments
Hi, is the example correct please.
In this line it talks about Field A "Each of these fields has 3 different values. For example fieldA has value1, value2, and value3."
Then goes onto Field B.
Regards
Hello IRHM73
Thank you for your comment. I looked over the example and it was not correct. I, with the help of Splunk Trust member DalJeanis, have updated the example.