Splunk Enterprise Security

Searching a Splunk Enterprise Security data model, why do I get no results using a wildcard in a conditional where statement?

gary_richardson
Path Finder

Hello!

Hope someone can assist.

The search:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | where srcip="184.105.247.196"

Returns all the events from the data model, where the field srcip=184.105.247.196

The search:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | where srcip="184.105.247.*"

Returns nothing.

Am I missing something here? I've used wildcards in numerous searches up to now, so I can't understand why this is failing. Is the * being escaped by the quotes, which I didn't think was possible?

I can find the original events which match using the same where srcip="184.105.247.*" conditional from outside of the datamodel.

Cheers.

0 Karma
1 Solution

javiergn
Super Champion

Try search instead or use where with LIKE:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | search srcip="184.105.247.*"

View solution in original post

javiergn
Super Champion

Try search instead or use where with LIKE:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | search srcip="184.105.247.*"

sowings
Splunk Employee
Splunk Employee

To be clear, the "where" search operator is very literal.

gary_richardson
Path Finder

That's solved it, thanks!

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...