Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a wildcard in a where clause?

rndp89
Explorer
‎04-25-2016 11:00 PM

I am using the search below to shunt "ORA-00001" from a set of log files. This search works fine for just one log file.

index=xyz* NOT [search index=xyz* "*ORA-00001*" | WHERE source="/logs/sit/camel-audit.log"]

but when I put a wildcard in the where clause, it doesn't work. Could you please help me on how to use wildcard in a where clause?

index=xyz* NOT [search index=xyz* "*ORA-00001*" | WHERE source="/logs/*/camel-audit.log"]
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2016 06:09 AM

@ctaf's comment is a good one, but if you insist on using the where command you can't use wildcards. Try like, instead.

index=xyz* NOT [search index=xyz* "ORA-00001" | WHERE like(source,"/logs/%/camel-audit.log")]

Notice the like command uses SQL-style wildcards.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2016 06:09 AM

@ctaf's comment is a good one, but if you insist on using the where command you can't use wildcards. Try like, instead.

index=xyz* NOT [search index=xyz* "ORA-00001" | WHERE like(source,"/logs/%/camel-audit.log")]

Notice the like command uses SQL-style wildcards.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rndp89
Explorer
‎04-28-2016 03:36 AM

thanks! it worked.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-28-2016 04:40 AM

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ctaf
Contributor
‎04-26-2016 05:54 AM

Hello,

Why using a where clause?
You could just do:
index=xyz* NOT [search index=xyz* "ORA-00001" source="/logs/*/camel-audit.log"]

And perhaps even simpler:
index=xyz* NOT ("ORA-00001" AND source="/logs/*/camel-audit.log")

Reply
Solved! Jump to solution

rndp89
Explorer
‎04-28-2016 03:35 AM

thank you .

0 Karma
Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...