Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter out search results where a field value ends with the $ character?

Bytes
Explorer
‎12-21-2015 06:35 AM

Hello Everyone,

Am hitting a snag and need some help. So I have an index whereby we have many account names returned to us from an index. Some of these account names end in the $ character.

I am trying to filter any events where the account name ends in $ out of the result set.

I have tried search NOT account_name = "*$" but this doesn't seem to work. I am guessing that $ is a reserved character or something as this works fine when filtering out other stuff not ending in a special character.

Anyone got any hints for me? I would really appreciate it.

Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎12-22-2015 12:32 AM

I'm assuming the answer below works fine but if not try the following:

| where NOT LIKE(field,"%$")

View solution in original post

Reply
Solved! Jump to solution

weicai88
Path Finder
‎01-17-2017 01:50 PM

This should work:

account_name != "*$"

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎12-22-2015 12:32 AM

I'm assuming the answer below works fine but if not try the following:

| where NOT LIKE(field,"%$")
Reply
Solved! Jump to solution

Bytes
Explorer
‎12-22-2015 12:58 AM

Hi All,

Thanks for your responses. I found the problem. After exploring the events that Splunk was indexing I found that the account_name atribute had two values. One of the user who created the event (what I was after) and one of the AD machine account (ending $ that I was trying to filter out). Basically when I ran your (and my) search strings they were working but all acount_name atributes had a value ending $.

As such, I explored and found another atribute that only has the user name (and no machine name). Performing both your functions on that worked well.

Both your answers work to do what I asked though so thank you 🙂

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-21-2015 07:48 AM

Have you tried using NOT "*\$"?

Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...