and I want to make a search with a substring with part of the file name because the path and the host could change:
But the search is:
sourcetype="mysourcetype" | eval namefile="*-2011-Dec-12.csv" | where source=namefile
doesn't word due to the wildchar (*) because the search:
sourcetype="mysourcetype" | eval namefile="/u01/app/oracle/admin/AUD/audit/report/host-audit-report-2011-Dec-12.csv" | where source=namefile
Obviously I semplified the subsearch. In the eval function I will use the strftime function to extract year, month and day of today or yesterday and so on.
Any suggestions to use wildchar?
Another option would be to just define a sourcetype for each source to keep things simpler. In your eval you have an issue with the wildcard as you have it surrounded with " "'s which turn it into a string literal, removing these will not make any difference as you can't store a wildcard in a variable defined by eval like that (that I am aware of)
Otherwise MHibbins suggestion to just search for source=*-2011-Dec-12.csv would work much better.