topic Re: How do I make wildcard search work for begins with or ends with searches? in Splunk Search

How do I make wildcard search work for begins with or ends with searches?

alfredhong — Thu, 27 May 2010 12:44:24 GMT

I have a defined field that I'm trying to perform searches against with wild cards, so given the texts:

text2search blah blah
blah text2search blah
blah blah text2search

And the following searches should return the specified item:

my_field="*text2search" --> #3
my_field="*text2search*" --> #1, 2, 3
my_field="text2search*" --> #1

But A and C actually return nothing. How would I get this to work like I expect it?

Thanks!

Re: How do I make wildcard search work for begins with or ends with searches?

gkanapathy — Thu, 27 May 2010 18:06:34 GMT

How is the field my_field actually extracted? Are there actually spaces delimiting both sides of text2search (and blah) in all cases? Is text2search actually just a word without internal spaces or punctuation? Does the search work if you don't specify my_field but just search for text2search (or *text2search or whatever)? Are you running these searches from the Splunk GUI?

Re: How do I make wildcard search work for begins with or ends with searches?

bwooden — Thu, 27 May 2010 20:21:37 GMT

gkanapathy raises good questions. If the below search works for case A then perhaps the field extraction may need to be tweaked to remove leading/trailing spaces or tabs.

my_field="*text2search*" | eval my_field=trim(my_field) | search my_field="*text2search"

Re: How do I make wildcard search work for begins with or ends with searches?

alfredhong — Thu, 27 May 2010 23:19:41 GMT

Great questions. Let me clarify them:

How is the field my_field actually extracted?

It is extracted via a regex in transforms.conf, and it can be "a sentence like this". Segmentation is set to inner for the source.

Are there actually spaces delimiting both sides of text2search (and blah) in all cases?

Not in terms of my example; I meant for "text2search" to mean exactly a word.

Is text2search actually just a word without internal spaces or punctuation?

Yes.

Does the search work if you don't specify my_field but just search for text2search (or *text2search or whatever)?

Not exactly. It seems for a past 24 hour search I get the same result for *text2search, text2search, text2search*, text2search.

Are you running these searches from the Splunk GUI?

Yes, tried that to verify against programmatic searches, which have the same results

Re: How do I make wildcard search work for begins with or ends with searches?

Lowell — Fri, 28 May 2010 22:58:28 GMT

Please add your clarifications to your original post (use the "edit" link) instead of adding a new "answer" like this.

Re: How do I make wildcard search work for begins with or ends with searches?

Stephen_Sorkin — Fri, 20 Aug 2010 01:39:44 GMT

This should normally work, and its failure probably has something to do with the heuristic of looking for the value in the index. The first check to make is to not put the field comparison in the initial part of the search. Does a search for just *text2search yield all the results that should match your field search. Another way is instead of:

my_field="*text2search"

Try:

* | search my_field="*text2search"

Re: How do I make wildcard search work for begins with or ends with searches?

sumnerm — Tue, 18 Jan 2011 17:33:07 GMT

To backup the answer from Stephen Sorkin, I've had a similar problem with searches using wildcards, and found it was resolved through putting the wildcard query after | search

The link between my situation and that of the original poster I think is segmentation startegy. I've come across this problem when experimenting with using outer segmentation. Are issues with wildcard searches in this way related to disabling full segmentation?