Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter events for hosts with wildcard in a search querry.

kiroalbatrosa
New Member
‎09-09-2019 11:52 PM

Hello all,

I am new to Splunk, so please excuse any gaps in my knowledge :).
I am trying to create customized alerts based on hostname filtering. The issue at hand can be described very simply, when creting any query for an alert condition the results provide a return for all hosts meeting the criteria, But when I try to filter on a broader range(wildcards), I receive no results. The queries work when either providing a specific host, or no host at all, wildcard hosts give no results. 

index=* `alerting_filesystem_usage`

This gives the results in the first screenshot.

index=* `alerting_filesystem_usage` | where host='*72*'

This or any variation of the wildcard returns no results. Can someone please provide some guidance, as I cannot find any logic behind the behavior.

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎09-10-2019 12:41 AM

Hi,

Please try below queries, when you use where you can't use * instead you need to use % for wildcard in where like()

index=* `alerting_filesystem_usage` | search host='*72*'

OR

index=* `alerting_filesystem_usage` | where like(host, "%72%")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎09-10-2019 12:41 AM

Hi,

Please try below queries, when you use where you can't use * instead you need to use % for wildcard in where like()

index=* `alerting_filesystem_usage` | search host='*72*'

OR

index=* `alerting_filesystem_usage` | where like(host, "%72%")
0 Karma
Reply
Solved! Jump to solution

kiroalbatrosa
New Member
‎09-10-2019 12:47 AM

WOW, you are a genius, thank you! Just FYI, only your second suggestion does return results.

     index=* `alerting_filesystem_usage` | search host='*72*'

Does not seem to work BUT this works like a charm

     index=* `alerting_filesystem_usage` | where like(host, "%72%")
0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎09-10-2019 12:55 AM

Can you please try below query?

 index=* `alerting_filesystem_usage` | search host="*72*"
0 Karma
Reply
Solved! Jump to solution

kiroalbatrosa
New Member
‎09-10-2019 01:08 AM

Yes, the quotes seem to be the issue,all this is very valuable info indeed 🙂

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎09-10-2019 01:09 AM

yw ..... 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...