Splunk query for matching lines that do not contain text

Question

To find logging lines that contain "gen-application" I use this search query :

source="general-access.log" "*gen-application*"

How to amend the query such that lines that do not contain "gen-application" are returned ?

source="general-access.log" != "gen-application" returns error :

Error in 'search' command: Unable to parse the search: Comparator '!=' has an invalid term on the left hand side:

score 7 · Accepted Answer · answered Nov 29 '19 at 15:43

7

I would use the NOT operator.

source="general-access.log" NOT "*gen-application"

Keep in mind that Splunk also has support for AND and OR.

answered Nov 29 '19 at 15:43

matthew-e-brown

1 Answers1