SPLK-1001 Exam - Question 166

Question

Will the queries following below get the same result?1. index=log sourcetype=error_log status !=1002. index=log sourcetype=error_log NOT status =100.

Examice · Accepted Answer

No, the queries will not get the same result. The != operator filters out events where the specified field equals the given value, only if the field exists in the event. Conversely, the NOT operator excludes events that either do not contain the field or where the field equals the given value. This means that the second query will exclude more events, covering cases where the status field might not be present at all.

LeandroJ · Answer

Hello I'm Leandro from Argentina, i think the answer could be YES!
• Does != and NOT ever yield the same results?
– Yes, if you know the field you’re evaluating always exists in the data
you’re searching
– For example:
 index=web sourcetype=access_combined status!=200
 index=web sourcetype=access_combined NOT status=200
yields same results because status field always exists in
access_combined sourcetype

reyangelo · Answer

Answer is No. I can run a query to search httpCode!=200 and get no results (most likely 200's which is good). I rerun as NOT httpCode=200 and get a couple events rendering no httpCode but instead a loglevel. Odd but think it is the reason help view any events which are not registering a particular field. Again, just a thought on reason this should be "No".

Nanila · Answer

They will give the same results. != (Means not equal to)

TeeCeeP · Answer

If we know for sure the error_log has the status field, then YES. If we do not know, then NO. We need for data for this question.

ja5656 · Answer

B is correct.Query No.2 also returns events that do not include the status field.

SPLK-1001 Exam - Question 166

Discussion