1 Reply Latest reply on Aug 1, 2017 11:37 AM by jrouviere

    Searching with dashes

    aharrison

      Just wondering if anyone could tell me how to use the dash '-' in my search query.

       

      I'm using the saved search "Authentication Event Data Last Week" (which I believe is one of the stock saved searches).

       

      After the search, under Refine Fields, if I expand "User Name" then double-click the username that's just a dash, then go into Search Builder and click the = so that it becomes ( "User Name != - ) then I get no results at all.  I tried adding quotes "-" I tried various methods of escaping it ( like \- "\-" and others).

       

      What's the proper way to search for events where the User Name does not contain a dash?

        • Re: Searching with dashes
          jrouviere

          From playing with it, I believe the dash is just a placeholder really and not being treated like an actual character in LEM.  I exported the data to CSV and found the dash in my LEM is showing up in UserLogon events as the SourceAccount.  If I search for UserLogon.SourceAccount = * I get 149 results (it's a lab, so not much going on).  The same search with no character is 72 results and the same search with just a dash is also 72 characters.

           

          This is likely compounded with the fact that dash is a boolean operator for "not" and is intended to exclude what follows.

           

          The most likely answer to fix this for the web console is to reach out to Support to get an official answer and if it does work the way it appears to it will probably need Development's input for any kind of resolution.

           

          The best work around I can think of for today would be to export the data to excel and filter it out from there if you need to report on it anyway.