Solved: How to use wildcards with host in a search? - Splunk Community

Splunk Search

I am building a search for all index=*, but I have a large number of hosts. These hosts are grouped together with our naming convention of letters and numbers at the end (ex: PRDOxxx) I have it like this right now:

Currently using:

Index=* Host=*

Picks up everything, but trying to narrow it down, I tried:

Index=* Host=prdo* OR Host=OCC*

Does not pick up anything.

1 Solution

Solution

As somesoni2 mentioned, the field names are case sensitive, so this is a good guess as to why the search isn't turning up anything.

Was this a resolution?

View solution in original post

Solution

As somesoni2 mentioned, the field names are case sensitive, so this is a good guess as to why the search isn't turning up anything.

Was this a resolution?

Yes, It was a case issue.
thank you

The field names are case sensitive (values are not case sensitive in the bases earch). So could you try this

index=* host=prdo* OR host=OCC*

Thank you ...

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...