Splunk Search

Does wildeward search in source attribute work?

mkelderm
Path Finder

I assume that searching with source=* should work? What could be the reason that this query works:

index=prd_stats sourcetype=appman:*

Results:

12/03/2013 12:15:46.000 ResponseTimems=101
host=l2-iamprdagw04.nl.rsg sourcetype=appman:Script source=heartbeat-randstadnet@l2-iamprdagw04

And this not:

index=prd_stats sourcetype=appman:* source=heartbeat*

no results...

0 Karma
1 Solution

bmacias84
Champion

You search has implied AND. Splunk inserts AND between search terms.

This is what your search is accutually.


index=prd_stats AND sourcetype=appman:* AND source=heartbeat*

This is what I think you trying to do


index=prd_stats AND (sourcetype="appman:*" OR source="heartbeat*")
OR
index=prd_stats AND sourcetype="appman:*" AND source="heartbeat*"

To avoid confusion I explictly define all my boolean search operators.

Additional Reading:

SearchReference

Hope this helps or gets you started. If it does help dont forget to accept and/or vote up.

Cheers,

View solution in original post

bmacias84
Champion

You search has implied AND. Splunk inserts AND between search terms.

This is what your search is accutually.


index=prd_stats AND sourcetype=appman:* AND source=heartbeat*

This is what I think you trying to do


index=prd_stats AND (sourcetype="appman:*" OR source="heartbeat*")
OR
index=prd_stats AND sourcetype="appman:*" AND source="heartbeat*"

To avoid confusion I explictly define all my boolean search operators.

Additional Reading:

SearchReference

Hope this helps or gets you started. If it does help dont forget to accept and/or vote up.

Cheers,

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...