Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Regex in search to filter not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am currently trying to work on a search where are admins in my results. I want the search to show only regular users and admins are noted by a -abc next to their name. This is what I currently have and I get the same amount of results with or without regex:
... | regex <user>!="<-abc>" |
So for example the user field will have johnny and a separate line for johnny-abc. I want to search and not have a result if -abc is found in the user field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have a field named user which has values such as woodcock-abc for admins and values such as otherguy for non-admins, you should be able to use this (among many other ways):
... | regex user!=".*\-abc$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have a field named user which has values such as woodcock-abc for admins and values such as otherguy for non-admins, you should be able to use this (among many other ways):
... | regex user!=".*\-abc$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you explain to me what the . , forward slash, and $ are for? I have been looking at the regex documentation and cant seem to find anything solid. I would like to know this so I can do a regex to take into account a abc-USERNAME where abc- is what I would want to filter against to not include. In this case abc- is at the begining and the *(everything) would come after
EDIT: I believe I got it. regex user!="abc-.*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The . matches any 1 character and the * modifies the character class that precedes it with zero or more of those. The \ escapes the next character that follows so that it is taken literally instead of indicating special functio n/token (in this case it is sperflous and you don't need it; it was a mistake on my part). The $ says no more characters after this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could you please provide some sample events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not simply use this
your base search ..| search user!="*-abc"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked as well as the suggestion from Wood about regex. Thank you!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
