topic Re: splunk search, token issue in Splunk Search

splunk search, token issue

yohhpark — Tue, 03 Oct 2023 17:21:48 GMT

trying to set a token where system_id shows ABC1, ABC1-a, ABC10, ABC10-a and so on.

when I set the token for that system_id as ABC1* to return all the ABC1 and ABC1-a and so on, it also returns the ABC10, and ABC10-a and so on. BUt obvisouly if I just do ABC10* it will return the right result.

the first portion is the problem. hope my question makes sense.

Re: splunk search, token issue

yohhpark — Tue, 03 Oct 2023 18:35:26 GMT

for example

index=test
|search control_id=AC-2*

this would give me AC-2, AC-2a, AC-20a, AC-22b, and so on.

I just want AC-2, AC-2a and not the tenth digit of 2s.

Re: splunk search, token issue

richgalloway — Tue, 03 Oct 2023 19:13:50 GMT

That's the nature of wildcards - they're *wild* and sometimes match more than is desired.

The workaround is to tell Splunk what not to match, using the NOT operator and some other pattern, or use the regex command to filter using a more precise regular expression.

index=test control_id=AC-2* | regex control_id="AC-2[a-z]?"

This query first reads all events where the control_id field starts with "AC-2". This is similar to the existing behavior. The regex command keeps only the events where the control_id field contains "AC-2" followed by an optional single letter.