Which is better NOT or !=

Here are two searches that are the same.

NOT FIELD="value"

FIELD!="value"

Which should be used? Is this just a personal preference or are there any performance differences between the two.

There are lots of cases where the NOT prefixes a much more complex search, but I'm just wondering about this simple case.

asked 17 Sep '10, 19:57

skeetermurphy
35●2
accept rate: 0%

These searches are not the same. See below.

(17 Sep '10, 21:12) gkanapathy ♦

One Answer:

oldest newest most voted

These two searches are not the same.

NOT field="value" will return events where field is undefined (or null). field!="value" will only return events where field exists (and does not have the value "value").

In the case where the value in question is "*", NOT field=* will return events where field is null/undefined. field!=* will never return any events.

link

answered 17 Sep '10, 21:11

gkanapathy ♦
26.5k●1●6●22
accept rate: 42%

edited 17 Sep '10, 21:56

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

search-language ×335
search-efficiency ×23

Asked: 17 Sep '10, 19:57

Seen: 356 times

Last updated: 17 Sep '10, 21:56

Which is better NOT or !=

Follow this question

Splunk Resources

Related questions