Difference between != and NOT
When you want to exclude results from your search you can use the NOT operator or the != field expression. However there is a significant difference in the results that are returned from these two methods.
Suppose you have the following events. As you can see, some events have missing values.
| ID | Name | Color | Location |
|---|---|---|---|
| 101M3 | McIntosh | Chestnut | Marin Meadows |
| 104F5 | Lyra | Bay | |
| 104M6 | Rutherford | Dun | Placer Pastures |
| 101F2 | Rarity | Marin Meadows | |
| 102M7 | Dash | Black | Calaveras Farms |
| 102M1 | Roan | ||
| 101F6 | Chestnut | Marin Meadows | |
| 104F4 | Pinkie | Sorrel | Placer Pastures |
| 102M8 | Spike | Grey | Calaveras Farms |
Searching with !=
If you search with the != expression, every event that has a value in the field, where that value does not match the value you specify, is returned. Events that do not have a value in the field are not included in the results.
For example, if you search for Location!="Calaveras Farms", events that do not have Calaveras Farms as the Location are returned. Events that do not have Location value are not included in the results.
source="Ponies.csv" Location!="Calaveras Farms"
| ID | Name | Color | Location |
|---|---|---|---|
| 101M3 | McIntosh | Chestnut | Marin Meadows |
| 104M6 | Rutherford | Dun | Placer Pastures |
| 101F2 | Rarity | Marin Meadows | |
| 101F6 | Chestnut | Marin Meadows | |
| 104F4 | Pinkie | Sorrel | Placer Pastures |
If you search for a Location that does not exist using the != expression, all of the events that have a Location value are returned.
Searching with NOT
If you search with the NOT operator, every event is returned except the events that contain the value you specify. This includes events that do not have a value in the field.
For example, if you search using NOT Location="Calaveras Farms", every event is returned except the events that contain the value "Calaveras Farms". This includes events that do not have a Location value.
source="Ponies.csv" NOT Location="Calaveras Farms"
| ID | Name | Color | Location |
|---|---|---|---|
| 101M3 | McIntosh | Chestnut | Marin Meadows |
| 104F5 | Lyra | Bay | |
| 104M6 | Rutherford | Dun | Placer Pastures |
| 101F2 | Rarity | Marin Meadows | |
| 102M1 | Roan | ||
| 101F6 | Chestnut | Marin Meadows | |
| 104F4 | Pinkie | Sorrel | Placer Pastures |
If you search for a Location that does not exist using NOT operator, all of the events are returned.
Using != with the regex command
If you use regular expressions in conjunction with != in searches, see regex.
Searching with != or NOT is not efficient
Using the != expression or NOT operator to exclude events from your search results is not an efficient method of filtering events. The execution cost for a search is actually less when you explicitly specify the values that you want to include in the search results. For more tips on search optimization, see Quick tips for optimization.
| Boolean expressions with logical operators | Field expressions |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!