I've observed some strange behavior with a particular search:
index=test NOT user=*$
Will not return results where user does not end with $ (in my test data there are no users that end with $)
This search however, works just fine and returns results.
index=test user!=*$
I've tested against other indexes and discovered that this problem only presents itself when the "user" field is based upon a calculated/eval based extraction.
Some might ask, why not just use the latter search if it works?
The reason is because the "Authentication" data model used by ES includes such a filter (i.e. tag=authentication NOT (action="success" user=*$) and I do not want to change the data model unless I absolutely have to.
I appreciate any feedback the Splunk community can offer!
The difference is very subtle but not a bug and very useful.
The string NOT user=gReGg
drops events where field 'user' exists AND has value 'gregg' (case does not matter) BUT ALSO KEEPS events where field 'user' does not exist (drops events even if '_raw' contains 'gregg').
The string user != GregG
drops events where field 'user' exists AND has value 'gregg' (case does not matter) BUT ALSO DROPS events where field 'user' does not exist (drops events even if '_raw' contains 'gregg').