https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89790#M182250 <P>whats the best way to compare with a list of items.<BR /> I am looking for something like this:<BR /> |search where NotificationEventType in ("THE_CHEESEBURGER%", "THE_HAMBURGER%", "ETC%"...)</P> Tue, 29 Sep 2020 23:16:13 GMT pranjal 2020-09-29T23:16:13Z https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89781#M182241 <P>if one of my fields is host, I want to do</P> <P>host like "startswith*"</P> <P>what is the syntax to do that? thanks,</P> Tue, 09 Jul 2013 17:34:21 GMT https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89781#M182241 alexl1 2013-07-09T17:34:21Z https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89782#M182242 <P>Here are are a couple ways.</P> <OL> <LI><P><CODE>host=foo*</CODE></P></LI> <LI><P><CODE>... | where like(host, "foo%")</CODE></P></LI> </OL> Tue, 09 Jul 2013 17:42:10 GMT https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89782#M182242 JSapienza 2013-07-09T17:42:10Z https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89783#M182243 <P>thanks! ...</P> Tue, 09 Jul 2013 17:48:54 GMT https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89783#M182243 alexl1 2013-07-09T17:48:54Z https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89784#M182244 <P>What is the best way to exclude event that start with foo*?</P> Sun, 03 Jul 2016 12:14:59 GMT https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89784#M182244 bcherdak 2016-07-03T12:14:59Z https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89785#M182245 <P>-- bcherdak, you asked - "What is the best way to exclude event that start with foo*?"</P> <P>I would say - <CODE>... NOT host = "foo*"</CODE></P> Sun, 03 Jul 2016 20:39:41 GMT https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89785#M182245 ddrillic 2016-07-03T20:39:41Z https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89786#M182246 <P>While it's probably safe to use <CODE>NOT host="foo*"</CODE> since the host field should always exist, I'd favor the <CODE>host!="foo*"</CODE> syntax; if you have a pattern you're matching on, you probably expect that field to exist in the results. Using the NOT approach will also return events that are missing the field which is probably not what most people want.</P> Mon, 04 Jul 2016 03:48:04 GMT https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89786#M182246 jtacy 2016-07-04T03:48:04Z https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89787#M182247 <P>If you want to exclude events where a field doesn't start with foo*, use <CODE>field!="foo*"</CODE>.</P> <P>If you want to exclude events where the event itself doesn't start with foo*, you can use <CODE>_raw!="foo*"</CODE>.</P> Tue, 29 Sep 2020 10:08:02 GMT https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89787#M182247 jtacy 2020-09-29T10:08:02Z https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89788#M182248 <P>@bcherdak : What is the best way to exclude event that start with foo*?</P> <P>your search | where NOT like(host,"foo%")</P> <P>This should do the magic.</P> Thu, 03 May 2018 16:24:04 GMT https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89788#M182248 th1agarajan 2018-05-03T16:24:04Z https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89789#M182249 <P>whats the best way to compare with a list of items.<BR /> I am looking for something like this:<BR /> |search where NotificationEventType in ("THE_CHEESEBURGER%", "THE_HAMBURGER%", "ETC%"...)</P> Tue, 29 Sep 2020 23:16:10 GMT https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89789#M182249 pranjal 2020-09-29T23:16:10Z https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89790#M182250 <P>whats the best way to compare with a list of items.<BR /> I am looking for something like this:<BR /> |search where NotificationEventType in ("THE_CHEESEBURGER%", "THE_HAMBURGER%", "ETC%"...)</P> Tue, 29 Sep 2020 23:16:13 GMT https://community.splunk.com/t5/Splunk-Search/can-i-use-quot-like-quot-in-search-criteria/m-p/89790#M182250 pranjal 2020-09-29T23:16:13Z