splunk exclude results based on json property

0
votes

When I use this search operator search "response.header.status"!=200 splunk will only include results for which the response.header.status path exists.

So the search parameter here is implicitly forcing the requirement for the property to exists, regardless of the value

Is there a variant of search that will let me exclude results based on the value of the path, but still include the result if the path does not exists?

1
splunksplunk-query

1 Answers

2
votes

The construct foo != bar means "show events where the "foo" field does not have the value "bar". That means the "foo" field must exist.

To find events where the "foo" field either doesn't exist or has a value other than "bar", use this non-intuitive search:

search NOT "response.header.status" = 200