Solved: Re: How to use wildcards with host in a search?

msackett · ‎08-07-2015

I am building a search for all index=*, but I have a large number of hosts. These hosts are grouped together with our naming convention of letters and numbers at the end (ex: PRDOxxx) I have it like this right now:

Currently using:

Index=* Host=*

Picks up everything, but trying to narrow it down, I tried:

Index=* Host=prdo* OR Host=OCC*

Does not pick up anything.

muebel · ‎09-29-2015

As somesoni2 mentioned, the field names are case sensitive, so this is a good guess as to why the search isn't turning up anything.

Was this a resolution?

View solution in original post

muebel · ‎09-29-2015

As somesoni2 mentioned, the field names are case sensitive, so this is a good guess as to why the search isn't turning up anything.

Was this a resolution?

msackett · ‎09-29-2015

Yes, It was a case issue.
thank you

somesoni2 · ‎08-07-2015

The field names are case sensitive (values are not case sensitive in the bases earch). So could you try this

index=* host=prdo* OR host=OCC*

msackett · ‎09-28-2015

Thank you ...

How to use wildcards with host in a search?

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

How to use wildcards with host in a search?

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk