Splunk Search

How to seach using a concatenated string



I have a lot of sources like this:


and I want to make a search with a substring with part of the file name because the path and the host could change:


But the search is:

sourcetype="mysourcetype" | eval namefile="*-2011-Dec-12.csv" | where source=namefile

doesn't word due to the wildchar (*) because the search:

sourcetype="mysourcetype" | eval namefile="/u01/app/oracle/admin/AUD/audit/report/host-audit-report-2011-Dec-12.csv" | where source=namefile

works perfectly.
Obviously I semplified the subsearch. In the eval function I will use the strftime function to extract year, month and day of today or yesterday and so on.
Any suggestions to use wildchar?

0 Karma


Another option would be to just define a sourcetype for each source to keep things simpler. In your eval you have an issue with the wildcard as you have it surrounded with " "'s which turn it into a string literal, removing these will not make any difference as you can't store a wildcard in a variable defined by eval like that (that I am aware of)

Otherwise MHibbins suggestion to just search for source=*-2011-Dec-12.csv would work much better.


Not sure if you have already tried this, but a simpler solution should be to search...


or if the date changes...


Hope this answers your question.

If it does answer your question, please mark the answer as accepted (the tick next to the answer) for the benefit of the community.



0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...