If you want to exclude events that contain "[error]", just do the following – it’s much simpler:
index=ndx sourcetype=srctp transid=* NOT "[error]"
| <rest of spl goes here>
from User warren – Stack Overflow https://stackoverflow.com/questions/73802042/exclude-multiples-values-splunk/73803588#73803588
via IFTTT