Refine your search:

field value *

0

Hi,

I have a field named hello_world and a value of the field is *

I am writing a search where the results will not include this value *.

The problem is if I write for example: index=my_index NOT hello_world="*"

I will get no results that have any value for field hello_world and at face value that makes sense. So how can I tell Splunk to say NOT field=* (just the string/symbol) instead of NOT field=* (no results at all)

asked 09 Jun '11, 07:43

Ant1D's gravatar image

Ant1D
8644444
accept rate: 37%

edited 09 Jun '11, 08:06

2 Answers:
oldestnewestmost voted
1

You may need to do something like this:

index=my_index | where NOT match(hello_world, "\*")
link

answered 09 Jun '11, 09:50

mw's gravatar image

mw
1.7k215
accept rate: 29%

1

You can also do simple string comparison in the where command:

... | where NOT hello_world="*"
(09 Jun '11, 09:53) ziegfried ♦

the match command works but it also seems to remove any other hello_world field values that contain an asterisk *. This could be a bit of a problem. Thanks mw. Ziegfried, your solution works as desired. Thanks again.

(10 Jun '11, 02:39) Ant1D

match uses regular expressions, so you just needed to anchor it then: "where NOT match(hello_world, "^\*$")"

(10 Jun '11, 03:10) mw
1

This is a known bug, which is present in the Release Notes' Known Issues page.

There is no way to escape an asterisk (*) in the search language. (SPL-30079)

So you should go for the suggested workarounds...

link

answered 09 Jun '11, 10:15

Paolo%20Prigione's gravatar image

Paolo Prigione
2.0k3318
accept rate: 38%

I am good at finding Splunk bugs ;)

(10 Jun '11, 02:42) Ant1D
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,685
×400
×236

Asked: 09 Jun '11, 07:43

Seen: 858 times

Last updated: 10 Jun '11, 03:11

Related questions

How to search for a field value that has appeared as the value of some other field?

Create multivalued field in the search based on another field

Can I perform If-Then-Else logic within a search?

Search Field Extraction help

Extract particular field value and assign to a variable to be used for further searches

Missing field detection

Anybody have a method to convert a value in scientific notation to decimal?

Two questions one answer

Search for value other than 0 - How-To

Copyright © 2005-2012 Splunk Inc. All rights reserved.