Hi Guys,
I am trying to filter out "Account_Name" that ends with $ and account names with no values( this as field value "-"). So far I have managed to exclude "-".
index=_win eventid=4624 Security_ID= Account_Name!="-" OR Account_Name!=DHK* OR Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
2/22/2016 15:14 4624 - HST002 An account was successfully logged on 11
2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1
And yet this gives me results with field values "-" and ending with $.
If i take out "Account_Name!=*$ " and also take out "OR" to make my query something like this
index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK*
The resulting output is:
2/22/2016 15:14 4624 ABC001$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 CBAU02$ HST002 An account was successfully logged on 1
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1
Am I doing something wrong, I am expecting the output to be only like this:
2/22/2016 15:14 4624 XYZU02 HST002 An account was successfully logged on 1
Please help me as i have tried to use NOT and WHERE commands too but still doesn't work.
Thank you
Looks like you cut out your securityID value in your query above, try the below but put it back in.
index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*
If you wanted to keep it without the regex.
The logical condition that you need to exclude both "-" and Accound_Name ending with $ will be AND. That is the default logical operator anyways So try like this
index=_win eventid=4624 Security_ID= Account_Name!="-" Account_Name!=DHK* Account_Name!=*$ |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
Looks like you cut out your securityID value in your query above, try the below but put it back in.
index=_win eventid=4624 Account_Name!=DHK* | regex Account_Name=".*(?<!\$)$" |stats count by win_log_time, eventid, Account_Name, host, EventCodeDescription
Also keep in mind you might have blankspaces in your Account_Name, so you might need to do Account_Name!="-" OR Account_Name!=$*
If you wanted to keep it without the regex.
http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/regex explains the regex command - "The regex command removes results that do not match the specified regular expression."
right and the regex I am doing is for anything that doesn't end in $ -- so this regex would return everything !=*$ -- though when i put it into regex101 it appears that it also negates the "-" as well.
Also, the reason regex should be used is that it's faster than using a !=*$ and a !="-" as != are quite slow in large data sets.