Solved: How to search start dot whatever?

summitsplunk · ‎04-23-2018

If I wanted everything with a .wav extension returned how would I format this?

index="myindex" AttCnt=* AttNames=* AttSize=* | stats count by AttNames | where AttNames="*.wav"

elliotproebstel · ‎04-23-2018

The answer above from @kmaron is technically correct, but your search will be more efficient if you move the desired spec into the base of the search. I'd recommend this:

index="myindex" AttCnt=* AttNames="*.wav" AttSize=* 
| stats count by AttNames

View solution in original post

elliotproebstel · ‎04-23-2018

The answer above from @kmaron is technically correct, but your search will be more efficient if you move the desired spec into the base of the search. I'd recommend this:

index="myindex" AttCnt=* AttNames="*.wav" AttSize=* 
| stats count by AttNames

niketn · ‎04-23-2018

Actually @elliotproebstal while your answer and approach is correct I am afraid @kmaron 's query is not. Following with where would work, however best approach is to filter required results upfront if possible like you have suggested.

<baseSearch>
| where AttNames like("%.wav")

Run anywhere test queries
Only if AttNames is actually "*.wav" where will work. If AttNames changes to something like "test.wav" it will not.

| makeresults
| eval AttNames="*.wav"
| where AttNames="*.wav"

Correct query with like()

| makeresults
| eval AttNames="test.wav"
| where AttNames like("%.wav")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

elliotproebstel · ‎04-23-2018

Ahh, good clarification, @niketnilay. Thanks!

niketn · ‎04-23-2018

Anytime @elliotproebstel... But I can't figure out why I always misspell your name 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

elliotproebstel · ‎04-23-2018

I inserted a script into your browser to randomize how you spell my name. 🙂

kmaron · ‎04-23-2018

I was focused on the wildcard not the where part. Sorry.

niketn · ‎04-23-2018

@kmaron, no need to be sorry, you are trying to help out your mates here 😉 We all get fixated on some things from time to time. We error out and then correct it.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

summitsplunk · ‎04-23-2018

I thought @kmaron way would work but when I do that:

index="myindex" AttCnt= AttNames= AttSize= | stats count by AttNames | where AttNames="*.wav"

I get no results whereas when I do it your way I get results.

Its odd, but thank you

kmaron · ‎04-23-2018

where AttNames="*.wav"

If you put a * in front of the .wav you'll get anything that ends with .wav

kmaron · ‎04-23-2018

please disregard this comment. It's wrong.

How to search start dot whatever?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?