Splunk Search

Search bug when using NOT and specific wildcard based searches?

laleger
Explorer

I've observed some strange behavior with a particular search:

index=test NOT user=*$

Will not return results where user does not end with $ (in my test data there are no users that end with $)

This search however, works just fine and returns results.

index=test user!=*$

I've tested against other indexes and discovered that this problem only presents itself when the "user" field is based upon a calculated/eval based extraction.

Some might ask, why not just use the latter search if it works?

The reason is because the "Authentication" data model used by ES includes such a filter (i.e. tag=authentication NOT (action="success" user=*$) and I do not want to change the data model unless I absolutely have to.

I appreciate any feedback the Splunk community can offer!

woodcock
Esteemed Legend

The difference is very subtle but not a bug and very useful.

The string NOT user=gReGg drops events where field 'user' exists AND has value 'gregg' (case does not matter) BUT ALSO KEEPS events where field 'user' does not exist (drops events even if '_raw' contains 'gregg').

The string user != GregG drops events where field 'user' exists AND has value 'gregg' (case does not matter) BUT ALSO DROPS events where field 'user' does not exist (drops events even if '_raw' contains 'gregg').

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...