How to ignore a specific sub-string from Splunk query

Question

Need some help to generate appropriate Spunk query. I am searching for this but could not come up with a solution.

Currently, I want to ignore all error alerts that are generated for logs with only ev31=error; term. If we use NOT ev31=error; in search query, it also removes results with valid error terms. So the current query will fail in case log contains both error and ev31=error; terms resulting in incorrect results.

Can anyone suggest a example query, where we can ignore ev31=error; term altogether but keep logs with error term.

Answer 1

Try including the string you want to ignore in quotes, so your search might look something like index=myIndex NOT "ev31=error"