Solved: Making searches that involve the character (*)

cindygibbs_08 · ‎06-29-2021

Hello everyone I hope everyone is having a great day thank you so much for the help that you have provided me with in this forum I have a question it turns out that I do have a field which can take on the values "box_56**" and "box_56**78_A" but whenever I try to execute a search splunk always tells me that I am using a wild card and this is because the asterisk is within the search and sometimes making the search

| Search field="box-56**"

Can bring up both values.. I would like a way to properly search for this values without having to suffer a Heart attack.. I have used the "\" character to try to "escape" the "*" but it is not working... From now on I would like to change the value of that field using the case command but everytime I use it I get a bunch of nonsense... Thank you guys so much for your kind help you guys are just one of a kind!

Love Cindy,

ITWhisperer · ‎06-29-2021

You could try using regex to keep the events that match the expression

| regex "box_56\*\*"

View solution in original post

ITWhisperer · ‎06-29-2021

You could try using regex to keep the events that match the expression

| regex "box_56\*\*"

venkatasri · ‎06-29-2021

Hi @cindygibbs_08

There seems no escape for * in Splunk as per this post - https://community.splunk.com/t5/Splunk-Search/literal-in-search/m-p/64040

Try something like this, using regex command -https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Regex#Examples

| makeresults 
| eval name="box-56**" 
| regex name="box-56\*\*"

In your example you have to replace Search command with regex and match with regex style with \. box_56\*\*78_A

---

An upvote would be appreciated and Accept Solution if it helps!

Making searches that involve the character (*)

summary indexing

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!