https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222225#M65341 <P>Hello,</P> <P>Why using a where clause?<BR /> You could just do:<BR /> index=xyz* NOT [search index=xyz* "ORA-00001" source="/logs/*/camel-audit.log"]</P> <P>And perhaps even simpler:<BR /> index=xyz* NOT ("ORA-00001" AND source="/logs/*/camel-audit.log")</P> Tue, 26 Apr 2016 12:54:13 GMT ctaf 2016-04-26T12:54:13Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222224#M65340 <P>I am using the search below to shunt "ORA-00001" from a set of log files. This search works fine for just one log file.</P> <PRE><CODE>index=xyz* NOT [search index=xyz* "*ORA-00001*" | WHERE source="/logs/sit/camel-audit.log"] </CODE></PRE> <P>but when I put a wildcard in the where clause, it doesn't work. Could you please help me on how to use wildcard in a where clause?</P> <PRE><CODE>index=xyz* NOT [search index=xyz* "*ORA-00001*" | WHERE source="/logs/*/camel-audit.log"] </CODE></PRE> Tue, 26 Apr 2016 06:00:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222224#M65340 rndp89 2016-04-26T06:00:31Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222225#M65341 <P>Hello,</P> <P>Why using a where clause?<BR /> You could just do:<BR /> index=xyz* NOT [search index=xyz* "ORA-00001" source="/logs/*/camel-audit.log"]</P> <P>And perhaps even simpler:<BR /> index=xyz* NOT ("ORA-00001" AND source="/logs/*/camel-audit.log")</P> Tue, 26 Apr 2016 12:54:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222225#M65341 ctaf 2016-04-26T12:54:13Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222226#M65342 <P>@ctaf's comment is a good one, but if you insist on using the <CODE>where</CODE> command you can't use wildcards. Try <CODE>like</CODE>, instead.</P> <PRE><CODE>index=xyz* NOT [search index=xyz* "ORA-00001" | WHERE like(source,"/logs/%/camel-audit.log")] </CODE></PRE> <P>Notice the <CODE>like</CODE> command uses SQL-style wildcards.</P> Tue, 26 Apr 2016 13:09:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222226#M65342 richgalloway 2016-04-26T13:09:28Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222227#M65343 <P>thank you .</P> Thu, 28 Apr 2016 10:35:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222227#M65343 rndp89 2016-04-28T10:35:07Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222228#M65344 <P>thanks! it worked.</P> Thu, 28 Apr 2016 10:36:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222228#M65344 rndp89 2016-04-28T10:36:51Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222229#M65345 <P>Please accept the answer.</P> Thu, 28 Apr 2016 11:40:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-wildcard-in-a-where-clause/m-p/222229#M65345 richgalloway 2016-04-28T11:40:42Z