Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to seach using a concatenated string

Cris
Explorer
‎12-13-2011 09:28 AM

Hi,

I have a lot of sources like this:

source="/u01/app/oracle/admin/AUD/audit/report/host-audit-report-2011-Dec-12.csv"

and I want to make a search with a substring with part of the file name because the path and the host could change:

namefile="*-2011-Dec-12.csv"

But the search is:

sourcetype="mysourcetype" | eval namefile="*-2011-Dec-12.csv" | where source=namefile

doesn't word due to the wildchar (*) because the search:

sourcetype="mysourcetype" | eval namefile="/u01/app/oracle/admin/AUD/audit/report/host-audit-report-2011-Dec-12.csv" | where source=namefile

works perfectly.
Obviously I semplified the subsearch. In the eval function I will use the strftime function to extract year, month and day of today or yesterday and so on.
Any suggestions to use wildchar?

0 Karma
Reply

Drainy
Champion
‎12-13-2011 01:31 PM

Another option would be to just define a sourcetype for each source to keep things simpler. In your eval you have an issue with the wildcard as you have it surrounded with " "'s which turn it into a string literal, removing these will not make any difference as you can't store a wildcard in a variable defined by eval like that (that I am aware of)

Otherwise MHibbins suggestion to just search for source=*-2011-Dec-12.csv would work much better.

Reply

MHibbin
Influencer
‎12-13-2011 09:42 AM

Not sure if you have already tried this, but a simpler solution should be to search...

source="*-2011-Dec-12.csv"

or if the date changes...

source="*-audit-report-*"

Hope this answers your question.

If it does answer your question, please mark the answer as accepted (the tick next to the answer) for the benefit of the community.

Regards,

Matt

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...