Hi
I have data like below in the Active Directory.
-
L-15485
D-5486
BLR-DC-09$
Here is my query;
| search "Account Name"="-"
BLR-DC-09$
L-15485
D-5486
BLR-DC-09$
Note: I read splunk document for -(hyphen) it says - for match any character.
Now my question is how to escape that one as it works.
Hello,
you need the where clause.
...|where "Account Name" like "%-%-%"
Thanks,
L
My use case was a little different, I was trying to remove Account_Name = "-" from sourcetype = ActiveDirectory, and the where clause was the only method that I could find that produced the results I needed. Thanks!
I'm not sure where you read that hyphen matches any character in Splunk. Could you please provide a link to where it says that? I can't think of a circumstance where it does, especially inside quotes.
I don't think I understand what you mean by "escape." Are you trying to write a search that returns all rows except the ones where the Account Name field has just a hyphen in it? And if so, does:
"Account Name"!="-"
not work? If not, how about:
"Account Name"!="\-"
What does that get you?
for hyphen?
Try | search "Account Name"="*"
have you tried :
| search "Account Name"="*-*"
I tried that one by that also im getting only BLR-DC-09$
I want to remove only - values from that field.
your query is wrong..