https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236540#M70272 <P>Why not simply use this</P> <PRE><CODE>your base search ..| search user!="*-abc" </CODE></PRE> Mon, 21 Sep 2015 20:18:09 GMT somesoni2 2015-09-21T20:18:09Z https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236539#M70271 <P>I am currently trying to work on a search where are admins in my results. I want the search to show only regular users and admins are noted by a -abc next to their name. This is what I currently have and I get the same amount of results with or without regex: </P> <PRE><CODE>... | regex &lt;user&gt;!="&lt;-abc&gt;" | </CODE></PRE> <P>So for example the user field will have johnny and a separate line for johnny-abc. I want to search and not have a result if -abc is found in the user field. </P> Mon, 21 Sep 2015 20:12:00 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236539#M70271 santorof 2015-09-21T20:12:00Z https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236540#M70272 <P>Why not simply use this</P> <PRE><CODE>your base search ..| search user!="*-abc" </CODE></PRE> Mon, 21 Sep 2015 20:18:09 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236540#M70272 somesoni2 2015-09-21T20:18:09Z https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236541#M70273 <P>could you please provide some sample events?</P> Mon, 21 Sep 2015 20:19:29 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236541#M70273 MuS 2015-09-21T20:19:29Z https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236542#M70274 <P>Assuming you have a field named <CODE>user</CODE> which has values such as <CODE>woodcock-abc</CODE> for admins and values such as <CODE>otherguy</CODE> for non-admins, you should be able to use this (among <EM>many</EM> other ways):</P> <PRE><CODE> ... | regex user!=".*\-abc$" </CODE></PRE> Mon, 21 Sep 2015 21:26:02 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236542#M70274 woodcock 2015-09-21T21:26:02Z https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236543#M70275 <P>This worked as well as the suggestion from Wood about regex. Thank you! </P> Wed, 23 Sep 2015 12:15:14 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236543#M70275 santorof 2015-09-23T12:15:14Z https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236544#M70276 <P>Could you explain to me what the . , forward slash, and $ are for? I have been looking at the regex documentation and cant seem to find anything solid. I would like to know this so I can do a regex to take into account a abc-USERNAME where abc- is what I would want to filter against to not include. In this case abc- is at the begining and the *(everything) would come after </P> <P>EDIT: I believe I got it. regex user!="abc-.*"</P> Fri, 25 Sep 2015 12:44:12 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236544#M70276 santorof 2015-09-25T12:44:12Z https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236545#M70277 <P>The <CODE>.</CODE> matches any 1 character and the <CODE>*</CODE> modifies the character class that precedes it with <CODE>zero or more of those</CODE>. The <CODE>\</CODE> escapes the next character that follows so that it is taken literally instead of indicating special functio n/token (in this case it is sperflous and you don't need it; it was a mistake on my part). The <CODE>$</CODE> says <CODE>no more characters after this</CODE>.</P> Fri, 25 Sep 2015 16:56:36 GMT https://community.splunk.com/t5/Splunk-Search/Regex-in-search-to-filter-not-working/m-p/236545#M70277 woodcock 2015-09-25T16:56:36Z