Splunk Search

field value *

Motivator

Hi,

I have a field named hello_world and a value of the field is *

I am writing a search where the results will not include this value *.

The problem is if I write for example:
index=my_index NOT hello_world="*"

I will get no results that have any value for field hello_world and at face value that makes sense. So how can I tell Splunk to say NOT field=* (just the string/symbol) instead of NOT field=* (no results at all)

0 Karma
1 Solution

Splunk Employee
Splunk Employee

You may need to do something like this:

index=my_index | where NOT match(hello_world, "\*")

View solution in original post

Path Finder

Hi

i know this is an old question, but i have a solution that worked for me, it is a bit hacky, but if your conscience allows you to live with that, here it is.

rex mode=sed field=myfieldwithanasterisk "s/\*/ASTERISK/g"

This will change the * to the word ASTERISK in the field myfieldwithanasterisk allowing you to then manipulate the field in anyway you want.

Thanks
Darren

0 Karma

This is a known bug, which is present in the Release Notes' Known Issues page.

There is no way to escape an asterisk (*) in the search language. (SPL-30079)

So you should go for the suggested workarounds...

Motivator

I am good at finding Splunk bugs 😉

0 Karma

Splunk Employee
Splunk Employee

You may need to do something like this:

index=my_index | where NOT match(hello_world, "\*")

View solution in original post

Splunk Employee
Splunk Employee

match uses regular expressions, so you just needed to anchor it then: "where NOT match(hello_world, "^\*$")"

0 Karma

Motivator

the match command works but it also seems to remove any other hello_world field values that contain an asterisk *. This could be a bit of a problem. Thanks mw. Ziegfried, your solution works as desired. Thanks again.

0 Karma

Influencer

You can also do simple string comparison in the where command:

... | where NOT hello_world="*"