Solved: Re: Use wildcard in source?

nishantjiit · ‎11-09-2017

I have a directory C:\logs

in this directory I have multiple files:

1: logging-projectname-0.log (There can be multiple files like *-1.log, *-2.log etc..)
2: logging-projectname-batch-0.log (There can be multiple files like *batch-1.log, *batch-2.log etc..)

I only want to search the files like #1. So, I tried ---- source="c:\logs\logging-projectname-[0-9]{1,}.log" SEARCH_STRING

It's not working. Can anyone suggest?

Thanks in advance.

somesoni2 · ‎11-09-2017

Another option would be this

your base search | regex source="c:\\\\logs\\\\logging-projectname-\d+\.log"

View solution in original post

richgalloway · ‎11-09-2017

source uses wildcards, not regular expressions. somesoni2's suggestion should work.

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎11-09-2017

Another option would be this

your base search | regex source="c:\\\\logs\\\\logging-projectname-\d+\.log"

nishantjiit · ‎11-09-2017

Thanks it worked

richgalloway · ‎11-09-2017

@nishantjiit, please accept an answer.

---
If this reply helps you, Karma would be appreciated.

skalliger · ‎11-09-2017

Why don't you just use a wildcard like you mentioned it yourself?
Nevermind that.

Skalli

edit: deleted my search string.

xavierashe · ‎11-09-2017

This should be an OR, not an AND.

skalliger · ‎11-09-2017

Oh, you're correct. I've misread that. Thought he wants only one but not the other one.

I'll edit it.

horsefez · ‎11-10-2017

@skalliger
stop being a noob 😛 😄

skalliger · ‎11-10-2017

Should have deleted my comment. 😄

Use wildcard in source?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Use wildcard in source?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?