Solved: How to search start dot whatever?

summitsplunk · ‎04-23-2018

If I wanted everything with a .wav extension returned how would I format this?

index="myindex" AttCnt=* AttNames=* AttSize=* | stats count by AttNames | where AttNames="*.wav"

elliotproebstel · ‎04-23-2018

The answer above from @kmaron is technically correct, but your search will be more efficient if you move the desired spec into the base of the search. I'd recommend this:

index="myindex" AttCnt=* AttNames="*.wav" AttSize=* 
| stats count by AttNames

View solution in original post

elliotproebstel · ‎04-23-2018

The answer above from @kmaron is technically correct, but your search will be more efficient if you move the desired spec into the base of the search. I'd recommend this:

index="myindex" AttCnt=* AttNames="*.wav" AttSize=* 
| stats count by AttNames

niketn · ‎04-23-2018

Actually @elliotproebstal while your answer and approach is correct I am afraid @kmaron 's query is not. Following with where would work, however best approach is to filter required results upfront if possible like you have suggested.

<baseSearch>
| where AttNames like("%.wav")

Run anywhere test queries
Only if AttNames is actually "*.wav" where will work. If AttNames changes to something like "test.wav" it will not.

| makeresults
| eval AttNames="*.wav"
| where AttNames="*.wav"

Correct query with like()

| makeresults
| eval AttNames="test.wav"
| where AttNames like("%.wav")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

elliotproebstel · ‎04-23-2018

Ahh, good clarification, @niketnilay. Thanks!

niketn · ‎04-23-2018

Anytime @elliotproebstel... But I can't figure out why I always misspell your name 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

elliotproebstel · ‎04-23-2018

I inserted a script into your browser to randomize how you spell my name. 🙂

kmaron · ‎04-23-2018

I was focused on the wildcard not the where part. Sorry.

niketn · ‎04-23-2018

@kmaron, no need to be sorry, you are trying to help out your mates here 😉 We all get fixated on some things from time to time. We error out and then correct it.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

summitsplunk · ‎04-23-2018

I thought @kmaron way would work but when I do that:

index="myindex" AttCnt= AttNames= AttSize= | stats count by AttNames | where AttNames="*.wav"

I get no results whereas when I do it your way I get results.

Its odd, but thank you

kmaron · ‎04-23-2018

where AttNames="*.wav"

If you put a * in front of the .wav you'll get anything that ends with .wav

kmaron · ‎04-23-2018

please disregard this comment. It's wrong.

How to search start dot whatever?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms