Getting Data In

Excluding search results ending with a $ sign

Explorer

I am writing a Windows Security Log search for user accounts and have the eventID I need to search for but the results not only return user accounts, but also computer accounts ending with a $ sign. Ex., user= Win-w7dc008$ and user=jsmith. How do I get my search to ignore user accounts ending with a $ sign and only return user=jsmith?

This is what I am using with no luck.

NOT user=\"\w*\"

TIA

0 Karma
1 Solution

Legend

Try this

yoursearchhere
| regex user!="\$$"

View solution in original post

Legend

Try this

yoursearchhere
| regex user!="\$$"

View solution in original post

Explorer

Worked perfectly. Thanks!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!