How to seach using a concatenated string

Cris · ‎12-13-2011

Hi,

I have a lot of sources like this:

source="/u01/app/oracle/admin/AUD/audit/report/host-audit-report-2011-Dec-12.csv"

and I want to make a search with a substring with part of the file name because the path and the host could change:

namefile="*-2011-Dec-12.csv"

But the search is:

sourcetype="mysourcetype" | eval namefile="*-2011-Dec-12.csv" | where source=namefile

doesn't word due to the wildchar (*) because the search:

sourcetype="mysourcetype" | eval namefile="/u01/app/oracle/admin/AUD/audit/report/host-audit-report-2011-Dec-12.csv" | where source=namefile

works perfectly.
Obviously I semplified the subsearch. In the eval function I will use the strftime function to extract year, month and day of today or yesterday and so on.
Any suggestions to use wildchar?

Drainy · ‎12-13-2011

Another option would be to just define a sourcetype for each source to keep things simpler. In your eval you have an issue with the wildcard as you have it surrounded with " "'s which turn it into a string literal, removing these will not make any difference as you can't store a wildcard in a variable defined by eval like that (that I am aware of)

Otherwise MHibbins suggestion to just search for source=*-2011-Dec-12.csv would work much better.

MHibbin · ‎12-13-2011

Not sure if you have already tried this, but a simpler solution should be to search...

source="*-2011-Dec-12.csv"

or if the date changes...

source="*-audit-report-*"

Hope this answers your question.

If it does answer your question, please mark the answer as accepted (the tick next to the answer) for the benefit of the community.

Regards,

Matt

How to seach using a concatenated string

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!