Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to check field values containing an underscore in splunk?

iamarkaprabha
Contributor
‎02-08-2018 03:28 AM

Hi All,

I was trying to filter out the usernames which contains underscore in splunk.
I had tried with regex Account_Name="._." and Account_Name="_"

But results are coming with all the values containing special characters in their value like arka$123 or arka&

Can you explain how to overcome this kind of situation

0 Karma
Reply

mclane1
Path Finder
‎02-19-2021 01:20 AM

Hello, any answer for this question.

In search mode, like others people say : you can search

<your_search> field=*_*

In like command, underscore (like percent) is a wildcard (percent is ".*" and underscore is "."). You have to use match with real regex. Exemple :

<your_search> | where match(field,".*_.*")

 

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎02-08-2018 04:38 AM

A run-anywhere:

| makeresults | eval test="Billy_Sally" | search test="*_*"

This searches for events that have a field named test, and where that field's contents have an underscore. In this test case the event shows up (e.g. the search matches).

Compare that with 

| makeresults | eval test="Billy_Sally" | search test!="*_*"

This searches for events that have a field named test, but where that fields contents do not have an underscore. If you run this search, nothing shows up.

In your case, make sure you are using != .

Happy Splunking,
Rich

Reply

harsmarvania57
Ultra Champion
‎02-08-2018 04:38 AM

Hi

Please try to run <yourBaseSearch> Account_Name=*_*

I have created run anywhere search which is only searching values with _ from field1

| makeresults | eval field1="abc_test"
| append [ makeresults | eval field1="abc123&" ]
| search field1=*_*

I hope this helps.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...