Solved: Search character *

gerbert · ‎04-27-2021

Hello,

I want to make the following search:

index = "myIndex" myfield != "35*"

Is there a way to excluse all values of myfield that start with "35" except "35" itself. so for example i want to exclude:

myfield values:

35457, 35568, 351 but not 35 itself.

I know that in regex you can use "+" to indicate the use of "one or more" matches but I don't know how to use it in a splunk search.

Cheers

Fritz

gerbert · ‎04-27-2021

Thanks for your help but I figured it out. The search:

index = "myIndex" | regex myfield != "^(35).+"

gives me what i want

gcusello · ‎04-27-2021

di you tried:

index = "myIndex" myfield="35"

?

Ciao.

Giuseppe

gerbert · ‎04-27-2021

I need the "!=" in my search because I want to explicitly exclude some values from my search. So replacing "!=" with "=" doesn't help me.

gcusello · ‎04-27-2021

let me understand your search need:

if you want to take only the exact value "35", = is the solution, what are the other need of your search so the = isn't the solution?

Ciao.

Giuseppe

gerbert · ‎04-27-2021

I do not want the value "35" to be excluded, which would be the case with the search myfield!="35*".

Saying i don't want the "35" excluded is different from saying I want the "35" value.

gcusello · ‎04-27-2021

Ok understood!

please try this:

index = "myIndex" (myfield!="35" OR myfield="35")

Ciao.

Giuseppe

gerbert · ‎04-27-2021

Thanks for your help but I figured it out. The search:

index = "myIndex" | regex myfield != "^(35).+"

gives me what i want

Search character *