Hi,
I have a field named hello_world and a value of the field is *
I am writing a search where the results will not include this value *.
The problem is if I write for example:
index=my_index NOT hello_world="*"
I will get no results that have any value for field hello_world and at face value that makes sense. So how can I tell Splunk to say NOT field=*
(just the string/symbol) instead of NOT field=*
(no results at all)
You may need to do something like this:
index=my_index | where NOT match(hello_world, "\*")
Hi
i know this is an old question, but i have a solution that worked for me, it is a bit hacky, but if your conscience allows you to live with that, here it is.
rex mode=sed field=myfieldwithanasterisk "s/\*/ASTERISK/g"
This will change the * to the word ASTERISK in the field myfieldwithanasterisk allowing you to then manipulate the field in anyway you want.
Thanks
Darren
This is a known bug, which is present in the Release Notes' Known Issues page.
There is no way to escape an asterisk (*) in the search language. (SPL-30079)
So you should go for the suggested workarounds...
I am good at finding Splunk bugs 😉
You may need to do something like this:
index=my_index | where NOT match(hello_world, "\*")
match uses regular expressions, so you just needed to anchor it then: "where NOT match(hello_world, "^\*$")"
the match command works but it also seems to remove any other hello_world field values that contain an asterisk *. This could be a bit of a problem. Thanks mw. Ziegfried, your solution works as desired. Thanks again.
You can also do simple string comparison in the where command:
... | where NOT hello_world="*"