Splunk Search

Can I use wildcards in transactions - startswith and endswith clauses?

Path Finder

When I use wildcards in the startswith or endswith for transaction, I get unexpected behavior. In short, if I specify something like startswith=”aaa * bbb ccc”, then it seems to match strings of the form “aaa*ccc”.

Sometimes I can get around with this by specifying startswith=(=”aaa yyyy bbb ccc” OR =”aaa zzzz bbb ccc”) when this is possible and it behaves as I expect.

It seems like I should be able to use regex in these clauses, but so far I have not been able to make it work. Something like startswith=(regex _raw=”aaa\\s[\\w]+\\sbbb\\sccc”)

1 Solution

SplunkTrust
SplunkTrust

You can use regex's in an eval statement, which is valid for startswith. Here's an example:

... | transaction field startswith=eval(match(_raw, "\d\d\s+start")) endswith=end

This matches the following events into one transaction:

2013-01-30T12:32:34+00:00 start field=10000
2013-01-30T12:39:27+00:00 end field=10000

As a counter-example, adding another \d in the regex breaks the transaction apart because startswith doesn't match.

View solution in original post

SplunkTrust
SplunkTrust

You can use regex's in an eval statement, which is valid for startswith. Here's an example:

... | transaction field startswith=eval(match(_raw, "\d\d\s+start")) endswith=end

This matches the following events into one transaction:

2013-01-30T12:32:34+00:00 start field=10000
2013-01-30T12:39:27+00:00 end field=10000

As a counter-example, adding another \d in the regex breaks the transaction apart because startswith doesn't match.

View solution in original post