Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Exclude fields ending with specific character
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shaker_ali
Engager
02-21-2016
11:43 PM
Hi Guys,
I am trying to filter out "Account_Name" that ends with $ and account names with no values( this as field value "-"). So far I have managed to exclude "-".
index=_win eventid=4624 Security_ID= Account_Name!="-" OR Account_Name!=DHK* OR Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
2/22/2016 15:14 4624 - HST002 An account was successfully logged on 11
2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1
And yet this gives me results with field values "-" and ending with $.
If i take out "Account_Name!=*$ " and also take out "OR" to make my query something like this
index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK*
The resulting output is:
2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1
Am I doing something wrong, I am expecting the output to be only like this:
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1
Please help me as i have tried to use NOT and WHERE commands too but still doesn't work.
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ryandg
Communicator
02-22-2016
07:01 AM
Looks like you cut out your securityID value in your query above, try the below but put it back in.
index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*
If you wanted to keep it without the regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-22-2016
07:21 AM
The logical condition that you need to exclude both "-" and Accound_Name ending with $ will be AND. That is the default logical operator anyways So try like this
index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK* Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ryandg
Communicator
02-22-2016
07:01 AM
Looks like you cut out your securityID value in your query above, try the below but put it back in.
index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*
If you wanted to keep it without the regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
02-22-2016
07:21 AM
http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/regex explains the regex command - "The regex command removes results that do not match the specified regular expression."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ryandg
Communicator
02-22-2016
08:39 AM
right and the regex I am doing is for anything that doesn't end in $ -- so this regex would return everything !=*$ -- though when i put it into regex101 it appears that it also negates the "-" as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ryandg
Communicator
02-22-2016
08:43 AM
Also, the reason regex should be used is that it's faster than using a !=*$ and a !="-" as != are quite slow in large data sets.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
