Splunk Search

Exclude fields ending with specific character

shaker_ali
Engager

Hi Guys,

I am trying to filter out "Account_Name" that ends with $ and account names with no values( this as field value "-"). So far I have managed to exclude "-".

index=_win eventid=4624 Security_ID= Account_Name!="-" OR Account_Name!=DHK* OR Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

2/22/2016 15:14 4624 - HST002 An account was successfully logged on 11
2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1

And yet this gives me results with field values "-" and ending with $.

If i take out "Account_Name!=*$ " and also take out "OR" to make my query something like this

index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK*

The resulting output is:

2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1

Am I doing something wrong, I am expecting the output to be only like this:

2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1

Please help me as i have tried to use NOT and WHERE commands too but still doesn't work.

Thank you

Tags (1)
0 Karma
1 Solution

ryandg
Communicator

Looks like you cut out your securityID value in your query above, try the below but put it back in.

index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*

If you wanted to keep it without the regex.

View solution in original post

0 Karma

somesoni2
Revered Legend

The logical condition that you need to exclude both "-" and Accound_Name ending with $ will be AND. That is the default logical operator anyways So try like this

index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK* Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

ryandg
Communicator

Looks like you cut out your securityID value in your query above, try the below but put it back in.

index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*

If you wanted to keep it without the regex.

0 Karma

ddrillic
Ultra Champion

http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/regex explains the regex command - "The regex command removes results that do not match the specified regular expression."

0 Karma

ryandg
Communicator

right and the regex I am doing is for anything that doesn't end in $ -- so this regex would return everything !=*$ -- though when i put it into regex101 it appears that it also negates the "-" as well.

0 Karma

ryandg
Communicator

Also, the reason regex should be used is that it's faster than using a !=*$ and a !="-" as != are quite slow in large data sets.

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...