Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field value *

Ant1D
Motivator
‎06-09-2011 07:43 AM

Hi,

I have a field named hello_world and a value of the field is *

I am writing a search where the results will not include this value *.

The problem is if I write for example:
index=my_index NOT hello_world="*"

I will get no results that have any value for field hello_world and at face value that makes sense. So how can I tell Splunk to say NOT field=* (just the string/symbol) instead of NOT field=* (no results at all)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mw
Splunk Employee
Splunk Employee
‎06-09-2011 09:50 AM

You may need to do something like this:

index=my_index | where NOT match(hello_world, "\*")

View solution in original post

Reply
Solved! Jump to solution

darrend
Path Finder
‎04-08-2014 02:56 AM

Hi

i know this is an old question, but i have a solution that worked for me, it is a bit hacky, but if your conscience allows you to live with that, here it is.

rex mode=sed field=myfieldwithanasterisk "s/\*/ASTERISK/g"

This will change the * to the word ASTERISK in the field myfieldwithanasterisk allowing you to then manipulate the field in anyway you want.

Thanks
Darren

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎06-09-2011 10:15 AM

This is a known bug, which is present in the Release Notes' Known Issues page.

There is no way to escape an asterisk (*) in the search language. (SPL-30079)

So you should go for the suggested workarounds...

Reply
Solved! Jump to solution

Ant1D
Motivator
‎06-10-2011 02:42 AM

I am good at finding Splunk bugs 😉

0 Karma
Reply
Solved! Jump to solution
Solution

mw
Splunk Employee
Splunk Employee
‎06-09-2011 09:50 AM

You may need to do something like this:

index=my_index | where NOT match(hello_world, "\*")
Reply
Solved! Jump to solution

mw
Splunk Employee
Splunk Employee
‎06-10-2011 03:10 AM

match uses regular expressions, so you just needed to anchor it then: "where NOT match(hello_world, "^\*$")"

0 Karma
Reply
Solved! Jump to solution

Ant1D
Motivator
‎06-10-2011 02:39 AM

the match command works but it also seems to remove any other hello_world field values that contain an asterisk *. This could be a bit of a problem. Thanks mw. Ziegfried, your solution works as desired. Thanks again.

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎06-09-2011 09:53 AM

You can also do simple string comparison in the where command:

... | where NOT hello_world="*"
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...