要查找包含“ gen-application”的日志记录行,我使用此搜索查询:
source="general-access.log" "*gen-application*"
如何修改查询,以便返回不包含“ gen-application”的行?
source =“ general-access.log”!=“ gen-application”返回错误:
Error in 'search' command: Unable to parse the search: Comparator '!=' has an invalid term on the left hand side:
我将使用NOT运算符。
source="general-access.log" NOT "*gen-application"
请记住,Splunk也支持AND和OR。