https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122060#M32842 <P>Hi alladin101,</P> <P>it's me again <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Now I get it; no this is not the way you use <CODE>where</CODE>. If you use <CODE>where</CODE> you will compare two fields and their respective values. You would have to use <CODE>search</CODE> because this will search using the value of the field.</P> <P>like this:</P> <PRE><CODE>index=whatever* sourcetype=server |rex field=CLIENT_VERSION "\'(?P.+)\'" |table version |search version=*10_2* </CODE></PRE> <P>hope this helps...</P> <P>cheers, MuS</P> Fri, 14 Nov 2014 08:21:27 GMT MuS 2014-11-14T08:21:27Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122059#M32841 <P>Hi - I wish to use a wildcard in the where clause in the below query can someone help?</P> <PRE><CODE>index=whatever* sourcetype=server |rex field=CLIENT_VERSION "\'(?P.+)\'" |table version |where version=*10_2* </CODE></PRE> <P>here the value in the version field is FS_10_2_17387/FS_10_2_12387/FS_10_2_17987</P> Mon, 28 Sep 2020 18:10:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122059#M32841 allladin101 2020-09-28T18:10:54Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122060#M32842 <P>Hi alladin101,</P> <P>it's me again <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Now I get it; no this is not the way you use <CODE>where</CODE>. If you use <CODE>where</CODE> you will compare two fields and their respective values. You would have to use <CODE>search</CODE> because this will search using the value of the field.</P> <P>like this:</P> <PRE><CODE>index=whatever* sourcetype=server |rex field=CLIENT_VERSION "\'(?P.+)\'" |table version |search version=*10_2* </CODE></PRE> <P>hope this helps...</P> <P>cheers, MuS</P> Fri, 14 Nov 2014 08:21:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122060#M32842 MuS 2014-11-14T08:21:27Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122061#M32843 <P>Hi Mus,</P> <P>Thanks for the answer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>can i use this as well?<BR /> <CODE>|where like(version,"%FX_10_2%")<BR /> </CODE></P> Mon, 28 Sep 2020 18:10:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122061#M32843 allladin101 2020-09-28T18:10:57Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122062#M32844 <P>yes, this should work as well</P> Fri, 14 Nov 2014 08:38:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122062#M32844 MuS 2014-11-14T08:38:51Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122063#M32845 <P>This just saved my life! Thanks!</P> Wed, 01 Feb 2017 16:31:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122063#M32845 LAcioffi 2017-02-01T16:31:51Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122064#M32846 <P>FYI - the optimizer will combine this into <CODE>search(index=whatever* sourcetype=server version=*10_2*)</CODE>, as if it was part of the original search query.</P> Tue, 07 Mar 2017 22:37:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122064#M32846 markbarber21 2017-03-07T22:37:02Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122065#M32847 <P>Yes, this is the difference between using <CODE>where</CODE> and <CODE>search</CODE> ; <CODE>search</CODE> can be basically used in the base/original search where as <CODE>where</CODE> will compare/eval values of fields ... even back in 2014 <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>cheers, MuS</P> Wed, 08 Mar 2017 09:47:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122065#M32847 MuS 2017-03-08T09:47:53Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122066#M32848 <P>hi,<BR /> if i want to add multiple values in the version field, can i use "AND" operator in search command?<BR /> for eg: | search version= 10 AND 12 AND 13<BR /> or how to include all three values in version field?</P> Tue, 16 Oct 2018 08:44:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122066#M32848 MoniM 2018-10-16T08:44:45Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122067#M32849 <P>How about this?<BR /> .... | search version="10" version="12" version="13"</P> Tue, 16 Oct 2018 19:19:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-with-a-where-clause/m-p/122067#M32849 MuS 2018-10-16T19:19:26Z