I am writing a Windows Security Log search for user accounts and have the eventID I need to search for but the results not only return user accounts, but also computer accounts ending with a $ sign. Ex., user= Win-w7dc008$ and user=jsmith. How do I get my search to ignore user accounts ending with a $ sign and only return user=jsmith?
This is what I am using with no luck.
NOT user=\"\w*\"
TIA
Try this
yoursearchhere
| regex user!="\$$"
Worked perfectly. Thanks!