topic Adding asterisk to host list in Splunk Search

Adding asterisk to host list

jwhughes58 — Wed, 28 Aug 2024 19:32:42 GMT

I'm working on a dashboard in which the user enters a list of hosts. The issue I'm running into is they must add an asterisk to the host name or it isn't found in the search. This what the SPL looks like.

index=os_* (`wineventlog_security` OR sourcetype=linux_secure) host IN ( host1*, host2*, host3*, host4*, host5*, host6*, host7*, host8* ) earliest=-7d@d | dedup host | eval sourcetype=if(sourcetype = "linux_secure", sourcetype, source) | fillnull value="" | table host, index, sourcetype, _raw

If there is no * then there are no results. What I would like to be able to do is have them enter hostname, FQDN, and either upper or lower case and the SPL would change it to lower case, remove any FQDN parts, add the *, and then search. So far I haven't come up with SPL that works. Any thoughts?

TIA,
Joe

Re: Adding asterisk to host list

PickleRick — Wed, 28 Aug 2024 20:02:25 GMT

Upper/lowercase doesn't matter with search term. Splunk matches case-insensitively (with search command; where command is case-sensitive).

And looking for something is definitely not the same as looking for something*.

Re: Adding asterisk to host list

jwhughes58 — Wed, 28 Aug 2024 20:16:00 GMT

Thanks @PickleRick for answering. This is what I found works.

Re: Adding asterisk to host list

PickleRick — Thu, 29 Aug 2024 18:09:40 GMT

Oh. This is something we in Poland call "shooting the sparrow with a cannon". If you really want to modify user's input, you should do so on client's side using the <change> functionality of the dashboard.

But I'm still asking what's the point in doing so. If you want to have predefined choices you use different inputs. If you let the user type in something freely honor their choice (and/or educate the users to add the wildcard by themselves).