Splunk Search

How to check field values containing an underscore in splunk?


Hi All,

I was trying to filter out the usernames which contains underscore in splunk.
I had tried with regex Account_Name="._." and Account_Name="_"

But results are coming with all the values containing special characters in their value like arka$123 or arka&

Can you explain how to overcome this kind of situation

0 Karma

Path Finder

Hello, any answer for this question.

In search mode, like others people say : you can search

<your_search> field=*_*

In like command, underscore (like percent) is a wildcard (percent is ".*" and underscore is "."). You have to use match with real regex. Exemple :

<your_search> | where match(field,".*_.*")


0 Karma


A run-anywhere:

| makeresults | eval test="Billy_Sally" | search test="*_*"

This searches for events that have a field named test, and where that field's contents have an underscore. In this test case the event shows up (e.g. the search matches).

Compare that with

| makeresults | eval test="Billy_Sally" | search test!="*_*"

This searches for events that have a field named test, but where that fields contents do not have an underscore. If you run this search, nothing shows up.

In your case, make sure you are using != .

Happy Splunking,



Please try to run <yourBaseSearch> Account_Name=*_*

I have created run anywhere search which is only searching values with _ from field1

| makeresults | eval field1="abc_test"
| append [ makeresults | eval field1="abc123&" ]
| search field1=*_*

I hope this helps.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!