Hi,
when building queries I'm all for their clean look and readability - of course performance always matters more.
But I have this case in which I want to exclude lots of usernames from my search:
username!=Johndoe username!=Mikesomeone username!=Jennifersomeoneelse
but this looks much shorter and cleaner:
NOT username IN (Johndoe Mikesomeone Jennifersomeoneelse)
I've been using a lot the **"field IN (value1 value2 value3)"** but only today I've started using it with the **NOT** operator. Unfortunately, after I press CTRL+SHIFT+E in the query editor, I see that this shorter "NOT value IN ()" is transformed to
NOT user=xxx NOT user=yyy ...etc
As far as I know this is not the same as **user!=xxx AND user!=yyy** and returns more results which I need.
Is there a way of a shorter query to do the same as explicit exclusion of multiple values from one field?
I've looked through similar topic: https://answers.splunk.com/answers/48398/how-to-exclude-a-list-of-values-for-a-field.html but my case is not covered there. I'll appreciate all help.
↧