https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536424#M448 <P>Sceikok,</P><P>that's exactly what I tried but it doesn't work.&nbsp; By the way, there's a PIPE before the WHERE so i'm sure you meant it like this</P><P>&nbsp;</P><P>| from inputlookup:access_tracker | where user!="bob*"<BR />| stats min(firstTime) as firstTime,max(lastTime) as lastTime by user<BR />| where ((now()-'lastTime')/86400)&gt;90</P><P>&nbsp;</P><P>The problem is it doesn't like the asterisk after bob.&nbsp; If I type in an exact user, I can see it gets excluded. If I include the asterik, I see all the "BOBs"</P> Wed, 20 Jan 2021 04:45:03 GMT iherb_0718 2021-01-20T04:45:03Z https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536390#M443 <P>Trying to modify this default correlation search:</P><P>| from inputlookup:access_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)&gt;90</P><P>I want to exclude from this search if the field "user" includes a value that begins with "bob"</P><P>Thanks in advance</P><P>&nbsp;</P> Tue, 19 Jan 2021 21:22:48 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536390#M443 iherb_0718 2021-01-19T21:22:48Z https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536392#M444 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229889">@iherb_0718</a>,</P><P>Please try this;</P><LI-CODE lang="markup">| from inputlookup:access_tracker where user LIKE "bob%" | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)&gt;90</LI-CODE><P>&nbsp;</P><P>If this reply helps you an upvote is appreciated.</P> Tue, 19 Jan 2021 21:26:21 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536392#M444 scelikok 2021-01-19T21:26:21Z https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536394#M445 <P>Sceikok thanks for the quick response. I want to EXCLUDE bob.&nbsp; &nbsp;Therefore what booleon would that be? It won't be "LIKE"</P> Tue, 19 Jan 2021 21:30:12 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536394#M445 iherb_0718 2021-01-19T21:30:12Z https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536405#M446 <P>anyone please?</P> Tue, 19 Jan 2021 23:08:41 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536405#M446 iherb_0718 2021-01-19T23:08:41Z https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536422#M447 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229889">@iherb_0718</a>,</P><P>You can use below;</P><LI-CODE lang="markup">| from inputlookup:access_tracker where user!="bob*" | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)&gt;90</LI-CODE><P>&nbsp;</P><P>If this reply helps you an upvote is appreciated.</P> Wed, 20 Jan 2021 04:37:01 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536422#M447 scelikok 2021-01-20T04:37:01Z https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536424#M448 <P>Sceikok,</P><P>that's exactly what I tried but it doesn't work.&nbsp; By the way, there's a PIPE before the WHERE so i'm sure you meant it like this</P><P>&nbsp;</P><P>| from inputlookup:access_tracker | where user!="bob*"<BR />| stats min(firstTime) as firstTime,max(lastTime) as lastTime by user<BR />| where ((now()-'lastTime')/86400)&gt;90</P><P>&nbsp;</P><P>The problem is it doesn't like the asterisk after bob.&nbsp; If I type in an exact user, I can see it gets excluded. If I include the asterik, I see all the "BOBs"</P> Wed, 20 Jan 2021 04:45:03 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536424#M448 iherb_0718 2021-01-20T04:45:03Z https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536428#M449 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229889">@iherb_0718</a>,</P><P>I didn't notice pipe , normally there is no need from command also but below should work based on your correlation search;</P><LI-CODE lang="markup">| from inputlookup:access_tracker | where NOT user LIKE "bob%" | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)&gt;90</LI-CODE><P>or</P><LI-CODE lang="markup">| inputlookup access_tracker where user!="bob*" | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)&gt;90</LI-CODE><P>&nbsp;Both should be ok;</P><P>If this reply helps you an upvote is appreciated.</P> Wed, 20 Jan 2021 05:15:42 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/SPL-help-enterprise-security/m-p/536428#M449 scelikok 2021-01-20T05:15:42Z