Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using wildcards in a search string

andybeh
New Member
‎07-03-2014 03:28 PM

Hi All,

Can someone please explain how I use a wildcard character in the middle of a search string? For example, if I want find all gmail addresses that start with the letter 'a', I thought I could search for emailaddress="a*@gmail.com, however this returns all records. I guess I have to use a regex but my knowledge hasn't reached that level yet so I am struggling with this one.

Cheers

AB

Tags (1)
0 Karma
Reply

gopala
New Member
‎03-15-2016 08:13 AM

Is not working for me either.

I tried
index=my_index | regex my_field="^my*.value.com"

and it is not finding anything even I

Where it should match
my1.value.com
my2.value.com
my100.value.com
etc....

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-03-2014 05:09 PM

other than the fact that you are missing a closing double quote in your example. That will work fine.
Is that a typo?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply

laithmurad
Path Finder
‎07-03-2014 05:05 PM

Hi AB,

Strange, I just tried you're search query emailaddress="a*@gmail.com" and it worked to filter emails that starts with an a, wildcards should work like you expected.

Alternatively use the regex command to filter you're results, for you're case just append this command to you're search.

| regex emailaddress="^a.*@gmail.com"

This will find all emails that starts with an "a" and ends with "@gmail.com"

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...