Splunk Search

How to seach using a concatenated string

Cris
Explorer

Hi,

I have a lot of sources like this:

source="/u01/app/oracle/admin/AUD/audit/report/host-audit-report-2011-Dec-12.csv"

and I want to make a search with a substring with part of the file name because the path and the host could change:

namefile="*-2011-Dec-12.csv"

But the search is:

sourcetype="mysourcetype" | eval namefile="*-2011-Dec-12.csv" | where source=namefile

doesn't word due to the wildchar (*) because the search:

sourcetype="mysourcetype" | eval namefile="/u01/app/oracle/admin/AUD/audit/report/host-audit-report-2011-Dec-12.csv" | where source=namefile

works perfectly.
Obviously I semplified the subsearch. In the eval function I will use the strftime function to extract year, month and day of today or yesterday and so on.
Any suggestions to use wildchar?

0 Karma

Drainy
Champion

Another option would be to just define a sourcetype for each source to keep things simpler. In your eval you have an issue with the wildcard as you have it surrounded with " "'s which turn it into a string literal, removing these will not make any difference as you can't store a wildcard in a variable defined by eval like that (that I am aware of)

Otherwise MHibbins suggestion to just search for source=*-2011-Dec-12.csv would work much better.

MHibbin
Influencer

Not sure if you have already tried this, but a simpler solution should be to search...

source="*-2011-Dec-12.csv"

or if the date changes...

source="*-audit-report-*"

Hope this answers your question.

If it does answer your question, please mark the answer as accepted (the tick next to the answer) for the benefit of the community.

Regards,

Matt

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...