Splunk Search

How to filter out search results where a field value ends with the $ character?

Explorer

Hello Everyone,

Am hitting a snag and need some help. So I have an index whereby we have many account names returned to us from an index. Some of these account names end in the $ character.

I am trying to filter any events where the account name ends in $ out of the result set.

I have tried search NOT account_name = "*$" but this doesn't seem to work. I am guessing that $ is a reserved character or something as this works fine when filtering out other stuff not ending in a special character.

Anyone got any hints for me? I would really appreciate it.

1 Solution

SplunkTrust
SplunkTrust

I'm assuming the answer below works fine but if not try the following:

| where NOT LIKE(field,"%$")

View solution in original post

Path Finder

This should work:

account_name != "*$"

0 Karma

SplunkTrust
SplunkTrust

I'm assuming the answer below works fine but if not try the following:

| where NOT LIKE(field,"%$")

View solution in original post

Explorer

Hi All,

Thanks for your responses. I found the problem. After exploring the events that Splunk was indexing I found that the accountname atribute had two values. One of the user who created the event (what I was after) and one of the AD machine account (ending $ that I was trying to filter out). Basically when I ran your (and my) search strings they were working but all acountname atributes had a value ending $.

As such, I explored and found another atribute that only has the user name (and no machine name). Performing both your functions on that worked well.

Both your answers work to do what I asked though so thank you 🙂

0 Karma

Legend

Have you tried using NOT "*\$"?