- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Regex in search to filter not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am currently trying to work on a search where are admins in my results. I want the search to show only regular users and admins are noted by a -abc next to their name. This is what I currently have and I get the same amount of results with or without regex:
... | regex <user>!="<-abc>" |
So for example the user field will have johnny and a separate line for johnny-abc. I want to search and not have a result if -abc is found in the user field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have a field named user which has values such as woodcock-abc for admins and values such as otherguy for non-admins, you should be able to use this (among many other ways):
... | regex user!=".*\-abc$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have a field named user which has values such as woodcock-abc for admins and values such as otherguy for non-admins, you should be able to use this (among many other ways):
... | regex user!=".*\-abc$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you explain to me what the . , forward slash, and $ are for? I have been looking at the regex documentation and cant seem to find anything solid. I would like to know this so I can do a regex to take into account a abc-USERNAME where abc- is what I would want to filter against to not include. In this case abc- is at the begining and the *(everything) would come after
EDIT: I believe I got it. regex user!="abc-.*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The . matches any 1 character and the * modifies the character class that precedes it with zero or more of those. The \ escapes the next character that follows so that it is taken literally instead of indicating special functio n/token (in this case it is sperflous and you don't need it; it was a mistake on my part). The $ says no more characters after this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could you please provide some sample events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not simply use this
your base search ..| search user!="*-abc"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked as well as the suggestion from Wood about regex. Thank you!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
