Without extracting fields, I want to search for any events that do not contain "country=$", i.e. the event must not end with "country=". I can regex it to "country=(?!$)", but that still requires country to be present in the event, which is not what I want.
Example: my search:
source=*vhost* | regex "country=(?!$)"
events:
language=en&country=&playerId=29539105
language=en&country=
general error
I want to exclude the middle one, while still hitting the other two. I can do it in regular regex evaluators, but splunk doesn't seem to read regex the same way.
In a regular regex interpreter, I've matched that it is enough with (?!(country=$)), but splunk doesn't understand this, and hits all events.
Found one solution to the problem, if not regex-specific: