Solved: How to use wildcards with host in a search? - Splunk Community

Splunk Search

I am building a search for all index=*, but I have a large number of hosts. These hosts are grouped together with our naming convention of letters and numbers at the end (ex: PRDOxxx) I have it like this right now:

Currently using:

Index=* Host=*

Picks up everything, but trying to narrow it down, I tried:

Index=* Host=prdo* OR Host=OCC*

Does not pick up anything.

1 Solution

Solution

As somesoni2 mentioned, the field names are case sensitive, so this is a good guess as to why the search isn't turning up anything.

Was this a resolution?

View solution in original post

Solution

As somesoni2 mentioned, the field names are case sensitive, so this is a good guess as to why the search isn't turning up anything.

Was this a resolution?

Yes, It was a case issue.
thank you

The field names are case sensitive (values are not case sensitive in the bases earch). So could you try this

index=* host=prdo* OR host=OCC*

Thank you ...

Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...