I was trying to filter out the usernames which contains underscore in splunk.
I had tried with regex Account_Name="._." and Account_Name="_"
But results are coming with all the values containing special characters in their value like arka$123 or arka&
Can you explain how to overcome this kind of situation
Hello, any answer for this question.
In search mode, like others people say : you can search
In like command, underscore (like percent) is a wildcard (percent is ".*" and underscore is "."). You have to use match with real regex. Exemple :
<your_search> | where match(field,".*_.*")
| makeresults | eval test="Billy_Sally" | search test="*_*"
This searches for events that have a field named test, and where that field's contents have an underscore. In this test case the event shows up (e.g. the search matches).
Compare that with
| makeresults | eval test="Billy_Sally" | search test!="*_*"
This searches for events that have a field named test, but where that fields contents do not have an underscore. If you run this search, nothing shows up.
In your case, make sure you are using != .
Please try to run <yourBaseSearch> Account_Name=*_*
I have created run anywhere search which is only searching values with _ from field1
| makeresults | eval field1="abc_test"
| append [ makeresults | eval field1="abc123&" ]
| search field1=*_*
I hope this helps.