NOT IN Operation in Splunk Query

In Splunk, NOT() and IN() are distinct methods employed. It’s important to note, however, that Splunk does not utilise a direct NOT IN() function. By tactfully integrating NOT() and IN() together with intended values, an equivalent effect to NOT IN() can be accomplished.

NOT() and IN() are two different methods in Splunk. We don’t have NOT IN() method in Splunk.

Check the following example for NOT IN Operation in Splunk Query. As per the example, field1 value should not be equal to a or b or c or d or e.

Sample Splunk Query:

<Your Basic Query> NOT( field1 IN ( a, b, c, d, e, f ) )
earliest=9/13/2022:19:15:00 latest=9/14/2022:19:15:00

In order to use NOT and IN, use it as per the above example in your Splunk Query as we cannot use NOT IN directly.

Hence, while there isn’t a ready-made NOT IN() function, a combination of NOT() and IN() can be manipulated to serve the same purpose effectively.

Leave a Reply