Search bug when using NOT and specific wildcard ba...

laleger · ‎08-18-2015

I've observed some strange behavior with a particular search:

index=test NOT user=*$

Will not return results where user does not end with $ (in my test data there are no users that end with $)

This search however, works just fine and returns results.

index=test user!=*$

I've tested against other indexes and discovered that this problem only presents itself when the "user" field is based upon a calculated/eval based extraction.

Some might ask, why not just use the latter search if it works?

The reason is because the "Authentication" data model used by ES includes such a filter (i.e. tag=authentication NOT (action="success" user=*$) and I do not want to change the data model unless I absolutely have to.

I appreciate any feedback the Splunk community can offer!

woodcock · ‎08-20-2015

The difference is very subtle but not a bug and very useful.

The string NOT user=gReGg drops events where field 'user' exists AND has value 'gregg' (case does not matter) BUT ALSO KEEPS events where field 'user' does not exist (drops events even if '_raw' contains 'gregg').

The string user != GregG drops events where field 'user' exists AND has value 'gregg' (case does not matter) BUT ALSO DROPS events where field 'user' does not exist (drops events even if '_raw' contains 'gregg').

Search bug when using NOT and specific wildcard based searches?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Search bug when using NOT and specific wildcard based searches?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases