Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a wildcard with a where clause?

allladin101
Explorer
‎11-14-2014 12:16 AM

Hi - I wish to use a wildcard in the where clause in the below query can someone help?

index=whatever* sourcetype=server
|rex field=CLIENT_VERSION "\'(?P.+)\'" 
|table version
|where version=*10_2*

here the value in the version field is FS_10_2_17387/FS_10_2_12387/FS_10_2_17987

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎11-14-2014 12:21 AM

Hi alladin101,

it's me again 🙂

Now I get it; no this is not the way you use where. If you use where you will compare two fields and their respective values. You would have to use search because this will search using the value of the field.

like this:

index=whatever* sourcetype=server
 |rex field=CLIENT_VERSION "\'(?P.+)\'" 
 |table version
 |search version=*10_2*

hope this helps...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎11-14-2014 12:21 AM

Hi alladin101,

it's me again 🙂

Now I get it; no this is not the way you use where. If you use where you will compare two fields and their respective values. You would have to use search because this will search using the value of the field.

like this:

index=whatever* sourcetype=server
 |rex field=CLIENT_VERSION "\'(?P.+)\'" 
 |table version
 |search version=*10_2*

hope this helps...

cheers, MuS

Reply
Solved! Jump to solution

MoniM
Communicator
‎10-16-2018 01:44 AM

hi,
if i want to add multiple values in the version field, can i use "AND" operator in search command?
for eg: | search version= 10 AND 12 AND 13
or how to include all three values in version field?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-16-2018 12:19 PM

How about this?
.... | search version="10" version="12" version="13"

0 Karma
Reply
Solved! Jump to solution

markbarber21
Path Finder
‎03-07-2017 02:37 PM

FYI - the optimizer will combine this into search(index=whatever* sourcetype=server version=*10_2*), as if it was part of the original search query.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎03-08-2017 01:47 AM

Yes, this is the difference between using where and search ; search can be basically used in the base/original search where as where will compare/eval values of fields ... even back in 2014 😉

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

LAcioffi
Explorer
‎02-01-2017 08:31 AM

This just saved my life! Thanks!

0 Karma
Reply
Solved! Jump to solution

allladin101
Explorer
‎11-14-2014 12:23 AM

Hi Mus,

Thanks for the answer 🙂

can i use this as well?
|where like(version,"%FX_10_2%")

Reply
Solved! Jump to solution

MuS
Legend
‎11-14-2014 12:38 AM

yes, this should work as well

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...