Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex in search to filter not working

santorof
Communicator
‎09-21-2015 01:12 PM

I am currently trying to work on a search where are admins in my results. I want the search to show only regular users and admins are noted by a -abc next to their name. This is what I currently have and I get the same amount of results with or without regex: 

... | regex <user>!="<-abc>" |

So for example the user field will have johnny and a separate line for johnny-abc. I want to search and not have a result if -abc is found in the user field.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-21-2015 02:26 PM

Assuming you have a field named user which has values such as woodcock-abc for admins and values such as otherguy for non-admins, you should be able to use this (among many other ways):

 ... | regex user!=".*\-abc$"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-21-2015 02:26 PM

Assuming you have a field named user which has values such as woodcock-abc for admins and values such as otherguy for non-admins, you should be able to use this (among many other ways):

 ... | regex user!=".*\-abc$"
0 Karma
Reply
Solved! Jump to solution

santorof
Communicator
‎09-25-2015 05:44 AM

Could you explain to me what the . , forward slash, and $ are for? I have been looking at the regex documentation and cant seem to find anything solid. I would like to know this so I can do a regex to take into account a abc-USERNAME where abc- is what I would want to filter against to not include. In this case abc- is at the begining and the *(everything) would come after

EDIT: I believe I got it. regex user!="abc-.*"

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-25-2015 09:56 AM

The . matches any 1 character and the * modifies the character class that precedes it with zero or more of those. The \ escapes the next character that follows so that it is taken literally instead of indicating special functio n/token (in this case it is sperflous and you don't need it; it was a mistake on my part). The $ says no more characters after this.

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-21-2015 01:19 PM

could you please provide some sample events?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-21-2015 01:18 PM

Why not simply use this

your base search ..| search user!="*-abc"
Reply
Solved! Jump to solution

santorof
Communicator
‎09-23-2015 05:15 AM

This worked as well as the suggestion from Wood about regex. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...