Solved: Re: Exclude fields ending with specific character

shaker_ali · ‎02-21-2016

Hi Guys,

I am trying to filter out "Account_Name" that ends with $ and account names with no values( this as field value "-"). So far I have managed to exclude "-".

index=_win eventid=4624 Security_ID= Account_Name!="-" OR Account_Name!=DHK* OR Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

2/22/2016 15:14 4624 - HST002 An account was successfully logged on 11
2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1

And yet this gives me results with field values "-" and ending with $.

If i take out "Account_Name!=*$ " and also take out "OR" to make my query something like this

index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK*

The resulting output is:

2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1

Am I doing something wrong, I am expecting the output to be only like this:

2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1

Please help me as i have tried to use NOT and WHERE commands too but still doesn't work.

Thank you

ryandg · ‎02-22-2016

Looks like you cut out your securityID value in your query above, try the below but put it back in.

index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*

If you wanted to keep it without the regex.

View solution in original post

somesoni2 · ‎02-22-2016

The logical condition that you need to exclude both "-" and Accound_Name ending with $ will be AND. That is the default logical operator anyways So try like this

index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK* Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

ryandg · ‎02-22-2016

Looks like you cut out your securityID value in your query above, try the below but put it back in.

index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription

Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*

If you wanted to keep it without the regex.

ddrillic · ‎02-22-2016

http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/regex explains the regex command - "The regex command removes results that do not match the specified regular expression."

ryandg · ‎02-22-2016

right and the regex I am doing is for anything that doesn't end in $ -- so this regex would return everything !=*$ -- though when i put it into regex101 it appears that it also negates the "-" as well.

ryandg · ‎02-22-2016

Also, the reason regex should be used is that it's faster than using a !=*$ and a !="-" as != are quite slow in large data sets.

Exclude fields ending with specific character

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Exclude fields ending with specific character

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk