Splunk Enterprise Security

Searching a Splunk Enterprise Security data model, why do I get no results using a wildcard in a conditional where statement?

Path Finder

Hello!

Hope someone can assist.

The search:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | where srcip="184.105.247.196"

Returns all the events from the data model, where the field srcip=184.105.247.196

The search:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | where srcip="184.105.247.*"

Returns nothing.

Am I missing something here? I've used wildcards in numerous searches up to now, so I can't understand why this is failing. Is the * being escaped by the quotes, which I didn't think was possible?

I can find the original events which match using the same where srcip="184.105.247.*" conditional from outside of the datamodel.

Cheers.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try search instead or use where with LIKE:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | search srcip="184.105.247.*"

View solution in original post

SplunkTrust
SplunkTrust

Try search instead or use where with LIKE:

| datamodel "Intrusion_Detection" "Network_IDS_Attacks" search | search srcip="184.105.247.*"

View solution in original post

Splunk Employee
Splunk Employee

To be clear, the "where" search operator is very literal.

Path Finder

That's solved it, thanks!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!