Hi, I've got events which are JSON Objects. I have values under complex paths, e.g.:
values.clicks.valueMap.CLICK_KEY="adhfkjsdafgkhbg-SPECIAL"
In my search, I need do exclude events which have a specific value in under this path. For reasons of comfort and to be more indipendent of the specific event structures, I tried fieldalias in die Fieldalias Editor in Splunk:
values.clicks.valueMap.CLICK_KEY AS click_key
Now, I want to exclude all click_keys, which contain the "-SPECIAL" Substring. If I do it like this:
sourcetype="my_click_json_objects" click_key!="*-SPECIAL*" | stats count
Everything works fine (taken into consideraton the differences between NOT and "!="). But if I do it like this:
sourcetype="my_click_json_objects" NOT click_key="*-SPECIAL*" | stats count
I get zero counts at all. But on the other hand, the following works fine:
sourcetype="my_click_json_objects" NOT values.clicks.valueMap.CLICK_KEY="*-SPECIAL*" | stats count
Are there any limitations in using the NOT operator with fieldalias. Thanks