Splunk Search

Does wildeward search in source attribute work?

mkelderm
Path Finder

I assume that searching with source=* should work? What could be the reason that this query works:

index=prd_stats sourcetype=appman:*

Results:

12/03/2013 12:15:46.000 ResponseTimems=101
host=l2-iamprdagw04.nl.rsg sourcetype=appman:Script source=heartbeat-randstadnet@l2-iamprdagw04

And this not:

index=prd_stats sourcetype=appman:* source=heartbeat*

no results...

0 Karma
1 Solution

bmacias84
Champion

You search has implied AND. Splunk inserts AND between search terms.

This is what your search is accutually.


index=prd_stats AND sourcetype=appman:* AND source=heartbeat*

This is what I think you trying to do


index=prd_stats AND (sourcetype="appman:*" OR source="heartbeat*")
OR
index=prd_stats AND sourcetype="appman:*" AND source="heartbeat*"

To avoid confusion I explictly define all my boolean search operators.

Additional Reading:

SearchReference

Hope this helps or gets you started. If it does help dont forget to accept and/or vote up.

Cheers,

View solution in original post

bmacias84
Champion

You search has implied AND. Splunk inserts AND between search terms.

This is what your search is accutually.


index=prd_stats AND sourcetype=appman:* AND source=heartbeat*

This is what I think you trying to do


index=prd_stats AND (sourcetype="appman:*" OR source="heartbeat*")
OR
index=prd_stats AND sourcetype="appman:*" AND source="heartbeat*"

To avoid confusion I explictly define all my boolean search operators.

Additional Reading:

SearchReference

Hope this helps or gets you started. If it does help dont forget to accept and/or vote up.

Cheers,

View solution in original post

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.