Solved: How to use wildcards with host in a search? - Splunk Community

Splunk Search

I am building a search for all index=*, but I have a large number of hosts. These hosts are grouped together with our naming convention of letters and numbers at the end (ex: PRDOxxx) I have it like this right now:

Currently using:

Index=* Host=*

Picks up everything, but trying to narrow it down, I tried:

Index=* Host=prdo* OR Host=OCC*

Does not pick up anything.

1 Solution

Solution

As somesoni2 mentioned, the field names are case sensitive, so this is a good guess as to why the search isn't turning up anything.

Was this a resolution?

View solution in original post

Solution

As somesoni2 mentioned, the field names are case sensitive, so this is a good guess as to why the search isn't turning up anything.

Was this a resolution?

Yes, It was a case issue.
thank you

The field names are case sensitive (values are not case sensitive in the bases earch). So could you try this

index=* host=prdo* OR host=OCC*

Thank you ...

Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...