Archive

How to filter events for hosts with wildcard in a search querry.

New Member

Hello all,

I am new to Splunk, so please excuse any gaps in my knowledge :).
I am trying to create customized alerts based on hostname filtering. The issue at hand can be described very simply, when creting any query for an alert condition the results provide a return for all hosts meeting the criteria, But when I try to filter on a broader range(wildcards), I receive no results. The queries work when either providing a specific host, or no host at all, wildcard hosts give no results.

index=* `alerting_filesystem_usage` 

This gives the results in the first screenshot.

index=* `alerting_filesystem_usage` | where host='*72*'

This or any variation of the wildcard returns no results. Can someone please provide some guidance, as I cannot find any logic behind the behavior.

alt text

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi,

Please try below queries, when you use where you can't use * instead you need to use % for wildcard in where like()

index=* `alerting_filesystem_usage` | search host='*72*'

OR

index=* `alerting_filesystem_usage` | where like(host, "%72%")

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi,

Please try below queries, when you use where you can't use * instead you need to use % for wildcard in where like()

index=* `alerting_filesystem_usage` | search host='*72*'

OR

index=* `alerting_filesystem_usage` | where like(host, "%72%")

View solution in original post

0 Karma

New Member

WOW, you are a genius, thank you! Just FYI, only your second suggestion does return results.

     index=* `alerting_filesystem_usage` | search host='*72*'

Does not seem to work BUT this works like a charm

     index=* `alerting_filesystem_usage` | where like(host, "%72%")
0 Karma

SplunkTrust
SplunkTrust

Can you please try below query?

 index=* `alerting_filesystem_usage` | search host="*72*"
0 Karma

New Member

Yes, the quotes seem to be the issue,all this is very valuable info indeed 🙂

0 Karma

SplunkTrust
SplunkTrust

yw ..... 🙂

0 Karma