https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26053#M5007 <P>the match command works but it also seems to remove any other hello_world field values that contain an asterisk *. This could be a bit of a problem. Thanks mw. Ziegfried, your solution works as desired. Thanks again.</P> Fri, 10 Jun 2011 09:39:46 GMT Ant1D 2011-06-10T09:39:46Z https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26049#M5003 <P>Hi,</P> <P>I have a field named hello_world and a value of the field is *</P> <P>I am writing a search where the results will not include this value *.</P> <P>The problem is if I write for example:<BR /> <CODE>index=my_index NOT hello_world="*"</CODE></P> <P>I will get no results that have any value for field hello_world and at face value that makes sense. So how can I tell Splunk to say <CODE>NOT field=*</CODE> (just the string/symbol) instead of <CODE>NOT field=*</CODE> (no results at all)</P> Thu, 09 Jun 2011 14:43:16 GMT https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26049#M5003 Ant1D 2011-06-09T14:43:16Z https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26050#M5004 <P>You may need to do something like this:</P> <PRE><CODE>index=my_index | where NOT match(hello_world, "\*") </CODE></PRE> Thu, 09 Jun 2011 16:50:03 GMT https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26050#M5004 mw 2011-06-09T16:50:03Z https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26051#M5005 <P>You can also do simple string comparison in the where command:</P> <PRE><CODE>... | where NOT hello_world="*" </CODE></PRE> Thu, 09 Jun 2011 16:53:22 GMT https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26051#M5005 ziegfried 2011-06-09T16:53:22Z https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26052#M5006 <P>This is a known bug, which is present in the Release Notes' <A href="http://www.splunk.com/base/Documentation/latest/ReleaseNotes/Knownissues">Known Issues </A>page.</P> <PRE><CODE>There is no way to escape an asterisk (*) in the search language. (SPL-30079) </CODE></PRE> <P>So you should go for the suggested workarounds...</P> Thu, 09 Jun 2011 17:15:06 GMT https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26052#M5006 Paolo_Prigione 2011-06-09T17:15:06Z https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26053#M5007 <P>the match command works but it also seems to remove any other hello_world field values that contain an asterisk *. This could be a bit of a problem. Thanks mw. Ziegfried, your solution works as desired. Thanks again.</P> Fri, 10 Jun 2011 09:39:46 GMT https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26053#M5007 Ant1D 2011-06-10T09:39:46Z https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26054#M5008 <P>I am good at finding Splunk bugs <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 10 Jun 2011 09:42:39 GMT https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26054#M5008 Ant1D 2011-06-10T09:42:39Z https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26055#M5009 <P>match uses regular expressions, so you just needed to anchor it then: "where NOT match(hello_world, "^\*$")"</P> Fri, 10 Jun 2011 10:10:43 GMT https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26055#M5009 mw 2011-06-10T10:10:43Z https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26056#M5010 <P>Hi</P> <P>i know this is an old question, but i have a solution that worked for me, it is a bit hacky, but if your conscience allows you to live with that, here it is.</P> <P>rex mode=sed field=myfieldwithanasterisk "s/\*/ASTERISK/g"</P> <P>This will change the * to the word ASTERISK in the field myfieldwithanasterisk allowing you to then manipulate the field in anyway you want.</P> <P>Thanks<BR /> Darren</P> Tue, 08 Apr 2014 09:56:38 GMT https://community.splunk.com/t5/Splunk-Search/field-value/m-p/26056#M5010 darrend 2014-04-08T09:56:38Z