Splunk Search

Exclude fields ending with specific character

shaker_ali
Engager

Hi Guys,

I am trying to filter out "Account_Name" that ends with $ and account names with no values( this as field value "-"). So far I have managed to exclude "-".

index=_win eventid=4624 Security_ID= Account_Name!="-" OR Account_Name!=DHK* OR Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

2/22/2016 15:14 4624 - HST002 An account was successfully logged on 11
2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1

And yet this gives me results with field values "-" and ending with $.

If i take out "Account_Name!=*$ " and also take out "OR" to make my query something like this

index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK*

The resulting output is:

2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1

Am I doing something wrong, I am expecting the output to be only like this:

2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1

Please help me as i have tried to use NOT and WHERE commands too but still doesn't work.

Thank you

Tags (1)
0 Karma
1 Solution

ryandg
Communicator

Looks like you cut out your securityID value in your query above, try the below but put it back in.

index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*

If you wanted to keep it without the regex.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The logical condition that you need to exclude both "-" and Accound_Name ending with $ will be AND. That is the default logical operator anyways So try like this

index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK* Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

ryandg
Communicator

Looks like you cut out your securityID value in your query above, try the below but put it back in.

index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*

If you wanted to keep it without the regex.

0 Karma

ddrillic
Ultra Champion

http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/regex explains the regex command - "The regex command removes results that do not match the specified regular expression."

0 Karma

ryandg
Communicator

right and the regex I am doing is for anything that doesn't end in $ -- so this regex would return everything !=*$ -- though when i put it into regex101 it appears that it also negates the "-" as well.

0 Karma

ryandg
Communicator

Also, the reason regex should be used is that it's faster than using a !=*$ and a !="-" as != are quite slow in large data sets.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...