Splunk Search

Search bug when using NOT and specific wildcard based searches?

laleger
Explorer

I've observed some strange behavior with a particular search:

index=test NOT user=*$

Will not return results where user does not end with $ (in my test data there are no users that end with $)

This search however, works just fine and returns results.

index=test user!=*$

I've tested against other indexes and discovered that this problem only presents itself when the "user" field is based upon a calculated/eval based extraction.

Some might ask, why not just use the latter search if it works?

The reason is because the "Authentication" data model used by ES includes such a filter (i.e. tag=authentication NOT (action="success" user=*$) and I do not want to change the data model unless I absolutely have to.

I appreciate any feedback the Splunk community can offer!

woodcock
Esteemed Legend

The difference is very subtle but not a bug and very useful.

The string NOT user=gReGg drops events where field 'user' exists AND has value 'gregg' (case does not matter) BUT ALSO KEEPS events where field 'user' does not exist (drops events even if '_raw' contains 'gregg').

The string user != GregG drops events where field 'user' exists AND has value 'gregg' (case does not matter) BUT ALSO DROPS events where field 'user' does not exist (drops events even if '_raw' contains 'gregg').

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...