Splunk Search

How to escape the percent character (%) when using the like function?

IVV
Path Finder

Hello!

I use the like function as a part of search to exclude src_ip values which contain the "%" character.

NOT like(src_ip, "%\%%")

But escaping doesn't work. How can I escape it properly?

Thanks.

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

I would suggest to use 'match' function instead of LIKE here.

example usage: (Runanywhere sample search)

| gentimes start=-1 | eval temp="Somesh%Soni Somesh#Soni" | table temp | makemv temp | mvexpand temp | where NOT match(temp,".*%.*")

View solution in original post

somesoni2
Revered Legend

I would suggest to use 'match' function instead of LIKE here.

example usage: (Runanywhere sample search)

| gentimes start=-1 | eval temp="Somesh%Soni Somesh#Soni" | table temp | makemv temp | mvexpand temp | where NOT match(temp,".*%.*")

IVV
Path Finder

Thank you. It works.

0 Karma

fdi01
Motivator

the src_ip values are like this : xx.zz.dd.hh exple( src_ip=127.0.0.1)
try like this:
NOT like(src_ip, "127.%.%.%")
or
NOT like(src_ip, "%.%.%.%")

0 Karma

IVV
Path Finder

Sorry, it doesn't solve the problem. And in my case src_ip is both IPv4 and IPv6.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...