I want to search for "index=*" ....
what is the best way to run it ?
I tried to run "index=\*" but it's not working
Hi @rayar,
let me understand: do you want to run a search that matches the string "index=*"?
If this is your need you could use the regex command:
something like this:
your_search
| regex _raw="index\=\*"
Ciao.
Giuseppe
Hello Sir,
If I understand you want to find the string 'Index=*' somewhere in an index. It is an interesting problem, but I think you will find this works
index=_internal AND "Index=" | rex field=_raw "(?<StarDex>Index\=\*)" | search StarDex != ""
OF course replace _internal with the index in which you wish to search
Regards,
R.
Hi @rayar,
let me understand: do you want to run a search that matches the string "index=*"?
If this is your need you could use the regex command:
something like this:
your_search
| regex _raw="index\=\*"
Ciao.
Giuseppe
it worked , thanks
Hi @rayar,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
To search all indexes, use
index=*
there's no need to escape the asterisk. Be warned that your admin may have created workload management rules that block such queries (they tend to be resource-intensive).
If, OTOH, you're trying to find the literal text "index=*" then using quotation marks around the string should be enough. Again, no need to escape anything.
If those ideas don't help then please detail what is meant by "it's not working".