Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to filter out search results where a field val...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bytes
Explorer
12-21-2015
06:35 AM
Hello Everyone,
Am hitting a snag and need some help. So I have an index whereby we have many account names returned to us from an index. Some of these account names end in the $ character.
I am trying to filter any events where the account name ends in $ out of the result set.
I have tried search NOT account_name = "*$" but this doesn't seem to work. I am guessing that $ is a reserved character or something as this works fine when filtering out other stuff not ending in a special character.
Anyone got any hints for me? I would really appreciate it.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
12-22-2015
12:32 AM
I'm assuming the answer below works fine but if not try the following:
| where NOT LIKE(field,"%$")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
weicai88
Path Finder
01-17-2017
01:50 PM
This should work:
account_name != "*$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
12-22-2015
12:32 AM
I'm assuming the answer below works fine but if not try the following:
| where NOT LIKE(field,"%$")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bytes
Explorer
12-22-2015
12:58 AM
Hi All,
Thanks for your responses. I found the problem. After exploring the events that Splunk was indexing I found that the account_name atribute had two values. One of the user who created the event (what I was after) and one of the AD machine account (ending $ that I was trying to filter out). Basically when I ran your (and my) search strings they were working but all acount_name atributes had a value ending $.
As such, I explored and found another atribute that only has the user name (and no machine name). Performing both your functions on that worked well.
Both your answers work to do what I asked though so thank you 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
12-21-2015
07:48 AM
Have you tried using NOT "*\$"?
Get Updates on the Splunk Community!
Introducing the Splunk Developer Program!
Hey Splunk community!
We are excited to announce that Splunk is launching the Splunk Developer Program in ...
Splunkbase Year in Review 2024
Reflecting on 2024, it’s clear that innovation and collaboration have defined the journey for Splunk ...
Developer Spotlight with Brett Adams
In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...
