Splunk Search

How to use a wildcard in a where clause?

rndp89
Explorer

I am using the search below to shunt "ORA-00001" from a set of log files. This search works fine for just one log file.

index=xyz* NOT [search index=xyz* "*ORA-00001*" | WHERE source="/logs/sit/camel-audit.log"] 

but when I put a wildcard in the where clause, it doesn't work. Could you please help me on how to use wildcard in a where clause?

index=xyz* NOT [search index=xyz* "*ORA-00001*" | WHERE source="/logs/*/camel-audit.log"] 
1 Solution

richgalloway
SplunkTrust
SplunkTrust

@ctaf's comment is a good one, but if you insist on using the where command you can't use wildcards. Try like, instead.

index=xyz* NOT [search index=xyz* "ORA-00001" | WHERE like(source,"/logs/%/camel-audit.log")]

Notice the like command uses SQL-style wildcards.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

@ctaf's comment is a good one, but if you insist on using the where command you can't use wildcards. Try like, instead.

index=xyz* NOT [search index=xyz* "ORA-00001" | WHERE like(source,"/logs/%/camel-audit.log")]

Notice the like command uses SQL-style wildcards.

---
If this reply helps you, Karma would be appreciated.

rndp89
Explorer

thanks! it worked.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ctaf
Contributor

Hello,

Why using a where clause?
You could just do:
index=xyz* NOT [search index=xyz* "ORA-00001" source="/logs/*/camel-audit.log"]

And perhaps even simpler:
index=xyz* NOT ("ORA-00001" AND source="/logs/*/camel-audit.log")

rndp89
Explorer

thank you .

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...