Solved: How to filter out search results where a field val...

Bytes · ‎12-21-2015

Hello Everyone,

Am hitting a snag and need some help. So I have an index whereby we have many account names returned to us from an index. Some of these account names end in the $ character.

I am trying to filter any events where the account name ends in $ out of the result set.

I have tried search NOT account_name = "*$" but this doesn't seem to work. I am guessing that $ is a reserved character or something as this works fine when filtering out other stuff not ending in a special character.

Anyone got any hints for me? I would really appreciate it.

javiergn · ‎12-22-2015

I'm assuming the answer below works fine but if not try the following:

| where NOT LIKE(field,"%$")

View solution in original post

weicai88 · ‎01-17-2017

This should work:

account_name != "*$"

javiergn · ‎12-22-2015

I'm assuming the answer below works fine but if not try the following:

| where NOT LIKE(field,"%$")

Bytes · ‎12-22-2015

Hi All,

Thanks for your responses. I found the problem. After exploring the events that Splunk was indexing I found that the account_name atribute had two values. One of the user who created the event (what I was after) and one of the AD machine account (ending $ that I was trying to filter out). Basically when I ran your (and my) search strings they were working but all acount_name atributes had a value ending $.

As such, I explored and found another atribute that only has the user name (and no machine name). Performing both your functions on that worked well.

Both your answers work to do what I asked though so thank you 🙂

sundareshr · ‎12-21-2015

Have you tried using NOT "*\$"?

How to filter out search results where a field value ends with the $ character?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!