Solved: Re: How to add a wild card to all the field values...

pavanae · ‎04-16-2018

I have a query as follows

| inputlookup hosts.csv | table host | format

Which gives the result as follows

( ( host="abc" ) OR ( host="def" ) OR ( host="ghi" ) OR ( host="jkl" ))

Now, how to modify my current query to get the result as follows

( ( host="abc*" ) OR ( host="def*" ) OR ( host="ghi*" ) OR ( host="jkl*" ))

Is there any way that I can add the wildcard to all the host field values either by eval or regex. Please let me know if there is any possibility?

elliotproebstel · ‎04-16-2018

Very easy! Just do this:

| inputlookup hosts.csv 
| table host 
| eval host=host."*"
| format

That will append a wildcard to the end of the string in each host field.

View solution in original post

elliotproebstel · ‎04-16-2018

Very easy! Just do this:

| inputlookup hosts.csv 
| table host 
| eval host=host."*"
| format

That will append a wildcard to the end of the string in each host field.

pavanae · ‎04-16-2018

worked perfect. Thank you @elliotproebstel

clintla · ‎01-02-2019

So if you use
| eval name1=upper(name1)."*"
| search host=name1

This should work right?

When I look at the field values- Name is exactly correct but when I use the name1 field it doesnt work.
if I swap it out with just the value- it works.. almost like the wildcard doesnt count if its in the field.

elliotproebstel · ‎04-16-2018

Glad to help 🙂

How to add a wild card to all the field values at the end of a field?

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability for AI

Are you a member of the Splunk Community?

How to add a wild card to all the field values at the end of a field?

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability for AI