Splunk Search

How to filter events for hosts with wildcard in a search querry.

kiroalbatrosa
New Member

Hello all,

I am new to Splunk, so please excuse any gaps in my knowledge :).
I am trying to create customized alerts based on hostname filtering. The issue at hand can be described very simply, when creting any query for an alert condition the results provide a return for all hosts meeting the criteria, But when I try to filter on a broader range(wildcards), I receive no results. The queries work when either providing a specific host, or no host at all, wildcard hosts give no results.

index=* `alerting_filesystem_usage` 

This gives the results in the first screenshot.

index=* `alerting_filesystem_usage` | where host='*72*'

This or any variation of the wildcard returns no results. Can someone please provide some guidance, as I cannot find any logic behind the behavior.

alt text

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Please try below queries, when you use where you can't use * instead you need to use % for wildcard in where like()

index=* `alerting_filesystem_usage` | search host='*72*'

OR

index=* `alerting_filesystem_usage` | where like(host, "%72%")

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Please try below queries, when you use where you can't use * instead you need to use % for wildcard in where like()

index=* `alerting_filesystem_usage` | search host='*72*'

OR

index=* `alerting_filesystem_usage` | where like(host, "%72%")
0 Karma

kiroalbatrosa
New Member

WOW, you are a genius, thank you! Just FYI, only your second suggestion does return results.

     index=* `alerting_filesystem_usage` | search host='*72*'

Does not seem to work BUT this works like a charm

     index=* `alerting_filesystem_usage` | where like(host, "%72%")
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Can you please try below query?

 index=* `alerting_filesystem_usage` | search host="*72*"
0 Karma

kiroalbatrosa
New Member

Yes, the quotes seem to be the issue,all this is very valuable info indeed 🙂

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

yw ..... 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...