Splunk Enterprise Security

Searching a Splunk Enterprise Security data model, why do I get no results using a wildcard in a conditional where statement?

gary_richardson
Path Finder

Hello!

Hope someone can assist.

The search:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | where srcip="184.105.247.196"

Returns all the events from the data model, where the field srcip=184.105.247.196

The search:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | where srcip="184.105.247.*"

Returns nothing.

Am I missing something here? I've used wildcards in numerous searches up to now, so I can't understand why this is failing. Is the * being escaped by the quotes, which I didn't think was possible?

I can find the original events which match using the same where srcip="184.105.247.*" conditional from outside of the datamodel.

Cheers.

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Try search instead or use where with LIKE:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | search srcip="184.105.247.*"

View solution in original post

javiergn
SplunkTrust
SplunkTrust

Try search instead or use where with LIKE:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | search srcip="184.105.247.*"

View solution in original post

sowings
Splunk Employee
Splunk Employee

To be clear, the "where" search operator is very literal.

gary_richardson
Path Finder

That's solved it, thanks!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!