Hello Everyone,
Am hitting a snag and need some help. So I have an index whereby we have many account names returned to us from an index. Some of these account names end in the $
character.
I am trying to filter any events where the account name ends in $
out of the result set.
I have tried search NOT account_name = "*$"
but this doesn't seem to work. I am guessing that $
is a reserved character or something as this works fine when filtering out other stuff not ending in a special character.
Anyone got any hints for me? I would really appreciate it.
I'm assuming the answer below works fine but if not try the following:
| where NOT LIKE(field,"%$")
This should work:
account_name != "*$"
I'm assuming the answer below works fine but if not try the following:
| where NOT LIKE(field,"%$")
Hi All,
Thanks for your responses. I found the problem. After exploring the events that Splunk was indexing I found that the account_name atribute had two values. One of the user who created the event (what I was after) and one of the AD machine account (ending $ that I was trying to filter out). Basically when I ran your (and my) search strings they were working but all acount_name atributes had a value ending $.
As such, I explored and found another atribute that only has the user name (and no machine name). Performing both your functions on that worked well.
Both your answers work to do what I asked though so thank you 🙂
Have you tried using NOT "*\$"
?