Splunk Search

How to search for "*" (asterisk) values in a field?

Engager

Hi,

I have TYPE field, that have a value of *, **, ***.

When I'm trying to |search TYPE="*" (all of the events will be shown, all of the values)
and when I use |regex TYPE="\*" (all of the *,**,** will be shown.)

I need help for searching * ,**, *** in a specific field..

Thank you.

Path Finder

You can also do something like this:

| eval has_asterisks=if(like(field, "%*%"), 1, 0)
| where has_asterisks=1
0 Karma

Explorer

Welp, just came across your question and was wondering the same thing, not great news:

Splunk SPL uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/SPLandregularexpressions

We just tried this, and indeed you can use "" in a `where fieldname=""` query, and it will work. No backslash required.

Revered Legend

Try something like this

your base search | where TYPE="*"                  ***to filter rows with TYPE=*
your base search | where TYPE="***"                  ***to filter rows with TYPE=***
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!