Am hitting a snag and need some help. So I have an index whereby we have many account names returned to us from an index. Some of these account names end in the
I am trying to filter any events where the account name ends in
$ out of the result set.
I have tried
search NOT account_name = "*$" but this doesn't seem to work. I am guessing that
$ is a reserved character or something as this works fine when filtering out other stuff not ending in a special character.
Anyone got any hints for me? I would really appreciate it.
I'm assuming the answer below works fine but if not try the following:
| where NOT LIKE(field,"%$")
Thanks for your responses. I found the problem. After exploring the events that Splunk was indexing I found that the accountname atribute had two values. One of the user who created the event (what I was after) and one of the AD machine account (ending $ that I was trying to filter out). Basically when I ran your (and my) search strings they were working but all acountname atributes had a value ending $.
As such, I explored and found another atribute that only has the user name (and no machine name). Performing both your functions on that worked well.
Both your answers work to do what I asked though so thank you 🙂