Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex in search to filter not working

santorof
Communicator
‎09-21-2015 01:12 PM

I am currently trying to work on a search where are admins in my results. I want the search to show only regular users and admins are noted by a -abc next to their name. This is what I currently have and I get the same amount of results with or without regex: 

... | regex <user>!="<-abc>" |

So for example the user field will have johnny and a separate line for johnny-abc. I want to search and not have a result if -abc is found in the user field.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-21-2015 02:26 PM

Assuming you have a field named user which has values such as woodcock-abc for admins and values such as otherguy for non-admins, you should be able to use this (among many other ways):

 ... | regex user!=".*\-abc$"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-21-2015 02:26 PM

Assuming you have a field named user which has values such as woodcock-abc for admins and values such as otherguy for non-admins, you should be able to use this (among many other ways):

 ... | regex user!=".*\-abc$"
0 Karma
Reply
Solved! Jump to solution

santorof
Communicator
‎09-25-2015 05:44 AM

Could you explain to me what the . , forward slash, and $ are for? I have been looking at the regex documentation and cant seem to find anything solid. I would like to know this so I can do a regex to take into account a abc-USERNAME where abc- is what I would want to filter against to not include. In this case abc- is at the begining and the *(everything) would come after

EDIT: I believe I got it. regex user!="abc-.*"

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-25-2015 09:56 AM

The . matches any 1 character and the * modifies the character class that precedes it with zero or more of those. The \ escapes the next character that follows so that it is taken literally instead of indicating special functio n/token (in this case it is sperflous and you don't need it; it was a mistake on my part). The $ says no more characters after this.

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-21-2015 01:19 PM

could you please provide some sample events?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-21-2015 01:18 PM

Why not simply use this

your base search ..| search user!="*-abc"
Reply
Solved! Jump to solution

santorof
Communicator
‎09-23-2015 05:15 AM

This worked as well as the suggestion from Wood about regex. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...