Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Exclude fields ending with specific character
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shaker_ali
Engager
02-21-2016
11:43 PM
Hi Guys,
I am trying to filter out "Account_Name" that ends with $ and account names with no values( this as field value "-"). So far I have managed to exclude "-".
index=_win eventid=4624 Security_ID= Account_Name!="-" OR Account_Name!=DHK* OR Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
2/22/2016 15:14 4624 - HST002 An account was successfully logged on 11
2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1
And yet this gives me results with field values "-" and ending with $.
If i take out "Account_Name!=*$ " and also take out "OR" to make my query something like this
index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK*
The resulting output is:
2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1
Am I doing something wrong, I am expecting the output to be only like this:
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1
Please help me as i have tried to use NOT and WHERE commands too but still doesn't work.
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ryandg
Communicator
02-22-2016
07:01 AM
Looks like you cut out your securityID value in your query above, try the below but put it back in.
index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*
If you wanted to keep it without the regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-22-2016
07:21 AM
The logical condition that you need to exclude both "-" and Accound_Name ending with $ will be AND. That is the default logical operator anyways So try like this
index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK* Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ryandg
Communicator
02-22-2016
07:01 AM
Looks like you cut out your securityID value in your query above, try the below but put it back in.
index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*
If you wanted to keep it without the regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
02-22-2016
07:21 AM
http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/regex explains the regex command - "The regex command removes results that do not match the specified regular expression."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ryandg
Communicator
02-22-2016
08:39 AM
right and the regex I am doing is for anything that doesn't end in $ -- so this regex would return everything !=*$ -- though when i put it into regex101 it appears that it also negates the "-" as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ryandg
Communicator
02-22-2016
08:43 AM
Also, the reason regex should be used is that it's faster than using a !=*$ and a !="-" as != are quite slow in large data sets.
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
