https://community.splunk.com/t5/Splunk-Search/How-to-search-partial-field-names-and-exclude-events-that/m-p/442688#M125646 <P>Hi,<BR /> I want my search to only return events that have field names matching <STRONG><EM>Feature.Flags</EM></STRONG>*<BR /> My data currently has the below field names but more and more feature flags will be released over time so I don't want to hard code them into the search.</P> <P>Feature.Flags.1<BR /> Feature.Flags.2<BR /> Feature.Flags.3</P> <P>How can I construct a search to only return events that contain any of these Feature.Flags* Field names but to exclude any events when all matching Feature.Flags fields have no value?</P> <P>e.g. Only return Event 1 and 3 below<BR /> <STRONG>Event 1</STRONG><BR /> Feature.Flags.1 = True<BR /> Feature.Flags.2 = ""<BR /> Feature.Flags.3 = False</P> <P><STRONG>Event 2</STRONG> (All Fields have no value so exclude this from the search)<BR /> Feature.Flags.1 = ""<BR /> Feature.Flags.2 = ""<BR /> Feature.Flags.3 = ""</P> <P><STRONG>Event 3</STRONG><BR /> Feature.Flags.1 = False<BR /> Feature.Flags.2 = False<BR /> Feature.Flags.3 = False</P> <P>I've tried different things but can't get it to work. For example the below returns all events in a table but unfortunately it includes Events where all Feature.Flags* fields have empty values</P> <PRE><CODE>table host Feature.Flags* </CODE></PRE> <P>I also tried the below but it just returned all entries with HostFlags set to False and none set to True</P> <PRE><CODE>eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='&lt;&lt;FIELD&gt;&gt;'] | search HostFlags=* | table host Feature.Flags* </CODE></PRE> Wed, 26 Jun 2019 14:52:42 GMT ganon640 2019-06-26T14:52:42Z https://community.splunk.com/t5/Splunk-Search/How-to-search-partial-field-names-and-exclude-events-that/m-p/442688#M125646 <P>Hi,<BR /> I want my search to only return events that have field names matching <STRONG><EM>Feature.Flags</EM></STRONG>*<BR /> My data currently has the below field names but more and more feature flags will be released over time so I don't want to hard code them into the search.</P> <P>Feature.Flags.1<BR /> Feature.Flags.2<BR /> Feature.Flags.3</P> <P>How can I construct a search to only return events that contain any of these Feature.Flags* Field names but to exclude any events when all matching Feature.Flags fields have no value?</P> <P>e.g. Only return Event 1 and 3 below<BR /> <STRONG>Event 1</STRONG><BR /> Feature.Flags.1 = True<BR /> Feature.Flags.2 = ""<BR /> Feature.Flags.3 = False</P> <P><STRONG>Event 2</STRONG> (All Fields have no value so exclude this from the search)<BR /> Feature.Flags.1 = ""<BR /> Feature.Flags.2 = ""<BR /> Feature.Flags.3 = ""</P> <P><STRONG>Event 3</STRONG><BR /> Feature.Flags.1 = False<BR /> Feature.Flags.2 = False<BR /> Feature.Flags.3 = False</P> <P>I've tried different things but can't get it to work. For example the below returns all events in a table but unfortunately it includes Events where all Feature.Flags* fields have empty values</P> <PRE><CODE>table host Feature.Flags* </CODE></PRE> <P>I also tried the below but it just returned all entries with HostFlags set to False and none set to True</P> <PRE><CODE>eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='&lt;&lt;FIELD&gt;&gt;'] | search HostFlags=* | table host Feature.Flags* </CODE></PRE> Wed, 26 Jun 2019 14:52:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-partial-field-names-and-exclude-events-that/m-p/442688#M125646 ganon640 2019-06-26T14:52:42Z https://community.splunk.com/t5/Splunk-Search/How-to-search-partial-field-names-and-exclude-events-that/m-p/442689#M125647 <P>ganon640</P> <P>Try this - </P> <PRE><CODE>| makeresults | eval Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "xyz" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='&lt;&lt;FIELD&gt;&gt;'] | where HostFlags!="" | table Feature.Flags* </CODE></PRE> <P>And</P> <PRE><CODE>| makeresults | eval Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='&lt;&lt;FIELD&gt;&gt;'] | where HostFlags!="" | table Feature.Flags* </CODE></PRE> <P>The first one will give you result and the second one will not. Which is what your criteria is.<BR /> Let me know. Thanks</P> Wed, 26 Jun 2019 19:42:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-partial-field-names-and-exclude-events-that/m-p/442689#M125647 amitm05 2019-06-26T19:42:47Z