Solved: exclude asterisk character from a search

gcusello · ‎05-22-2015

Hi at all,
I have a field (called uid) with some values = "*" and I'd like to exclude them from the results of my search.
I tried with uid="*" but Splunk read asterisk as a wildcard.
How can I do this?
Thanks in advance.
Giuseppe

woodcock · ‎05-24-2015

The base SPL always treats asterisk as wildcard and it cannot be escaped. However, there are several ways to do this by piping to where, such as like or match (you could also pipe to regex😞

... | where NOT match(uid, "\*")

View solution in original post

chimell · ‎05-24-2015

Hi cusello
Try this search code

......|table uid |where isnotnull(uid)

Look at an example

sourcetype=access_* |table  categoryId |where isnotnull(categoryId)

It works well

woodcock · ‎05-24-2015

The base SPL always treats asterisk as wildcard and it cannot be escaped. However, there are several ways to do this by piping to where, such as like or match (you could also pipe to regex😞

... | where NOT match(uid, "\*")

Arun_N_007 · ‎05-22-2015

Why dont you Try with where command it will work

..|where uid=="*"

Arun_N_007 · ‎05-22-2015

Here you can use NOT operator along with where to exclude.

exclude asterisk character from a search

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?