Splunk Search
Highlighted

Can I use wildcards in transactions - startswith and endswith clauses?

Path Finder

When I use wildcards in the startswith or endswith for transaction, I get unexpected behavior. In short, if I specify something like startswith=”aaa * bbb ccc”, then it seems to match strings of the form “aaa*ccc”.

Sometimes I can get around with this by specifying startswith=(=”aaa yyyy bbb ccc” OR =”aaa zzzz bbb ccc”) when this is possible and it behaves as I expect.

It seems like I should be able to use regex in these clauses, but so far I have not been able to make it work. Something like startswith=(regex _raw=”aaa\\s[\\w]+\\sbbb\\sccc”)

Highlighted

Re: Can I use wildcards in transactions - startswith and endswith clauses?

SplunkTrust
SplunkTrust

You can use regex's in an eval statement, which is valid for startswith. Here's an example:

... | transaction field startswith=eval(match(_raw, "\d\d\s+start")) endswith=end

This matches the following events into one transaction:

2013-01-30T12:32:34+00:00 start field=10000
2013-01-30T12:39:27+00:00 end field=10000

As a counter-example, adding another \d in the regex breaks the transaction apart because startswith doesn't match.

View solution in original post