https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197595#M57093 <P>Is there any way to use a wildcard on the left side of a comparison in a Splunk search? We have a scripted input that returns physical drive status across many systems, and the results look like this:</P> <PRE><CODE>hostname=some_hostname physDrv1=ok physDrv2=ok physDrv3=ok physDrv4=failed </CODE></PRE> <P>Is there any way to search for events that have any non-OK lines like below? This apparently doesn't work and I haven't found anything in the Splunk documentation. </P> <PRE><CODE>sourcetype=drive_status | where physDrv*!="ok" </CODE></PRE> <P>For now, we just hardcode every possible drive property in the search like below and it works fine, but it would be cool to write a more elegant search if possible. Let me know what you think. Thanks for the help!</P> <PRE><CODE>sourcetype=drive_status | where physDrv1!="ok" OR physDrv2!="ok" OR physDrv3!="ok" OR physDrv4!="ok" </CODE></PRE> Tue, 07 Jan 2014 15:49:18 GMT jerdmann 2014-01-07T15:49:18Z https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197595#M57093 <P>Is there any way to use a wildcard on the left side of a comparison in a Splunk search? We have a scripted input that returns physical drive status across many systems, and the results look like this:</P> <PRE><CODE>hostname=some_hostname physDrv1=ok physDrv2=ok physDrv3=ok physDrv4=failed </CODE></PRE> <P>Is there any way to search for events that have any non-OK lines like below? This apparently doesn't work and I haven't found anything in the Splunk documentation. </P> <PRE><CODE>sourcetype=drive_status | where physDrv*!="ok" </CODE></PRE> <P>For now, we just hardcode every possible drive property in the search like below and it works fine, but it would be cool to write a more elegant search if possible. Let me know what you think. Thanks for the help!</P> <PRE><CODE>sourcetype=drive_status | where physDrv1!="ok" OR physDrv2!="ok" OR physDrv3!="ok" OR physDrv4!="ok" </CODE></PRE> Tue, 07 Jan 2014 15:49:18 GMT https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197595#M57093 jerdmann 2014-01-07T15:49:18Z https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197596#M57094 <P>You could try:</P> <PRE><CODE>sourcetype=drive_status NOT "ok" | your stats or table </CODE></PRE> <P>But you have to be careful how you use it because it will ignore "ok" regardless of the field. In your example, it looks like ignoring "ok" will not be a problem.</P> Tue, 07 Jan 2014 15:59:22 GMT https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197596#M57094 lukejadamec 2014-01-07T15:59:22Z https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197597#M57095 <P>Cool, thanks for the feedback. I'm not sure if this will work though, as it looks like this filters out all events that have the text "ok" anywhere in them. </P> <P>I gave it a shot and it filters out all results which obviously isn't what we want. Thanks for the suggestion though!</P> Tue, 07 Jan 2014 16:02:08 GMT https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197597#M57095 jerdmann 2014-01-07T16:02:08Z https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197598#M57096 <P>Try following</P> <PRE><CODE>index=blah sourcetype=blah NOT "physDrv*=ok" | &lt;do more&gt; </CODE></PRE> <H2>UPDATED Search</H2> <P>Try this</P> <PRE><CODE>index=blah sourcetype=blah | rex max_match=0 "(?m)physDrv[0-9]*=(?&lt;drive_status&gt;[^ ]+)" | nomv drive_status | eval drive_status=replace(drive_status,"ok","") | where drive_status!="" </CODE></PRE> Tue, 07 Jan 2014 16:06:57 GMT https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197598#M57096 somesoni2 2014-01-07T16:06:57Z https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197599#M57097 <P>Hmmm, no dice here either. This filters out all events that an OK in any of the drives/properties, similar to the above suggestion.</P> Tue, 07 Jan 2014 16:32:52 GMT https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197599#M57097 jerdmann 2014-01-07T16:32:52Z https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197600#M57098 <P>Please see if the updated answer works.</P> Tue, 07 Jan 2014 16:58:08 GMT https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197600#M57098 somesoni2 2014-01-07T16:58:08Z https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197601#M57099 <P>Perfect, works like a treat! I had to modify the above slightly (see below), but this is otherwise exactly what I needed. Thanks a ton!</P> <P>rex max_match=0 "(?m)physDrv[0-9]+=(?<DRIVE_STATUS>[\w]+)" | nomv drive_status | eval drive_status=replace(drive_status,"ok\s*","") | where drive_status!=""</DRIVE_STATUS></P> Mon, 28 Sep 2020 15:36:07 GMT https://community.splunk.com/t5/Splunk-Search/Wildcards-on-the-left-side-of-a-comparison/m-p/197601#M57099 jerdmann 2020-09-28T15:36:07Z