Solved: Re: Does IN support wildcards?

danielbb · ‎07-31-2019

The following doesn't seem to work -

NOT hostname IN ("*.<domain1>.com", "*.<domain2>.com")

Does IN support wildcards?

niketn · ‎07-31-2019

@danielbb yes it should so if it is not working then please add more details as to what you are trying to do and what is your current data/SPL (mock/anonymize any sensitive information before posting on Splunk Answers).

Meanwhile based on the code/data snippet provided in the question, try the following run anywhere example search:

| makeresults 
| fields - _time 
| eval hostname="test1.domain1.com,test2.domain1.com,test3.domain2.com,test4.domain3.com" 
| makemv hostname delim="," 
| mvexpand hostname 
| search NOT hostname IN ("*.domain1.com", "*.domain2.com")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎07-31-2019

@danielbb yes it should so if it is not working then please add more details as to what you are trying to do and what is your current data/SPL (mock/anonymize any sensitive information before posting on Splunk Answers).

Meanwhile based on the code/data snippet provided in the question, try the following run anywhere example search:

| makeresults 
| fields - _time 
| eval hostname="test1.domain1.com,test2.domain1.com,test3.domain2.com,test4.domain3.com" 
| makemv hostname delim="," 
| mvexpand hostname 
| search NOT hostname IN ("*.domain1.com", "*.domain2.com")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

danielbb · ‎07-31-2019

Thanks a lot.

Does IN support wildcards?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?