Splunk Search

How do you match the exact wild card in the following search string?

Kwip
Contributor

Hi All,

I am using a form where I will get input for one field and produce results using it. The input may contain wild cards sometimes.

Here is the issue when the input contains a wild card.

Example:

Input field Name - SampleName
 SampleName - Jobname.id.*.runtime

When using the above search, I only want to match the events that contains below:

 Jobname.id.12345.runtime
 Jobname.id.34521.runtime
 Jobname.id.87645.runtime

But I am getting some more matching events including the said ones.

Jobname.id.12345.runtime - Needed
 Jobname.id.34521.runtime - Needed
 Jobname.id.87645.runtime - Needed
 Jobname.id.87645.turn1.runtime - Not Needed
 Jobname.id.12345.turn2.runtime - Not needed
 Jobname.id.87645.trn.runtime - Not Needed.

Please help me to fine tune my query to only match the events I need.

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

The question as asked, if I'm reading this correctly, is that you want to match certain results, but not others. The ones you want to match are have only digits in that middle piece, no extra "words" or other things.

You didn't provide the initial base search, so I just have to "lorem ipsum" it.

One way is to build a more specific matching string.

... base search here
| rex field=SampleName "(?<isneeded>Jobname\.id\.\d+\.runtime)"
| search isneeded="*"

The idea is that the rex will only define the field isneeded if the overall regular expression fits, and that regex is the specific words (with escaped periods!) of "Jobname.id." followed by \d+ which is one or more digits, followed by ".runtime". So if there's extra non-digits in there somewhere, it won't match anything, and thus isneeded will not be a field in that event. LAstly, we just search where isneeded got defined.

You could also use that same, or a similar, search in match which maybe is more clear:

... base search here
| eval matches = if(match(SampleName,"Jobname\.id\.\d+\.runtime"), 1, 0)
| search matches=1

(That last was pulled nearly verbatim out of the documentation.)

I hope this helps!

Happy Splunking,
Rich

View solution in original post

0 Karma

woodcock
Esteemed Legend

It is not possible; the best that you can do is something like this:

index=YouShoulAlwaysSpecifyAnIndex sourcetype=AndSourcetypeToo SampleName = Jobname.id.*.runtime
| where match(SampleName, "^Jobname\.id\.\d+\.runtime$")
0 Karma

Richfez
SplunkTrust
SplunkTrust

The question as asked, if I'm reading this correctly, is that you want to match certain results, but not others. The ones you want to match are have only digits in that middle piece, no extra "words" or other things.

You didn't provide the initial base search, so I just have to "lorem ipsum" it.

One way is to build a more specific matching string.

... base search here
| rex field=SampleName "(?<isneeded>Jobname\.id\.\d+\.runtime)"
| search isneeded="*"

The idea is that the rex will only define the field isneeded if the overall regular expression fits, and that regex is the specific words (with escaped periods!) of "Jobname.id." followed by \d+ which is one or more digits, followed by ".runtime". So if there's extra non-digits in there somewhere, it won't match anything, and thus isneeded will not be a field in that event. LAstly, we just search where isneeded got defined.

You could also use that same, or a similar, search in match which maybe is more clear:

... base search here
| eval matches = if(match(SampleName,"Jobname\.id\.\d+\.runtime"), 1, 0)
| search matches=1

(That last was pulled nearly verbatim out of the documentation.)

I hope this helps!

Happy Splunking,
Rich

0 Karma

Kwip
Contributor

Thank you @rich7177. It is working fine.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...