Splunk Search

Search bug when using NOT and specific wildcard based searches?

laleger
Explorer

I've observed some strange behavior with a particular search:

index=test NOT user=*$

Will not return results where user does not end with $ (in my test data there are no users that end with $)

This search however, works just fine and returns results.

index=test user!=*$

I've tested against other indexes and discovered that this problem only presents itself when the "user" field is based upon a calculated/eval based extraction.

Some might ask, why not just use the latter search if it works?

The reason is because the "Authentication" data model used by ES includes such a filter (i.e. tag=authentication NOT (action="success" user=*$) and I do not want to change the data model unless I absolutely have to.

I appreciate any feedback the Splunk community can offer!

woodcock
Esteemed Legend

The difference is very subtle but not a bug and very useful.

The string NOT user=gReGg drops events where field 'user' exists AND has value 'gregg' (case does not matter) BUT ALSO KEEPS events where field 'user' does not exist (drops events even if '_raw' contains 'gregg').

The string user != GregG drops events where field 'user' exists AND has value 'gregg' (case does not matter) BUT ALSO DROPS events where field 'user' does not exist (drops events even if '_raw' contains 'gregg').

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...