The studying material says that -
-- Wildcards in the middle of a string produce inconsistent results.
Why is it?
Check out the Splunk .conf talk by Martin Mueller:
https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf
Page 18 of 32.
Here is Splunk's official word:
https://docs.splunk.com/Documentation/Splunk/latest/Search/Wildcards#Avoid_using_wildcards_in_the_mi...
Check out the Splunk .conf talk by Martin Mueller:
https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf
Page 18 of 32.
sounds like one for @martin_mueller to help with then 🙂
I would say thats not correct at all.
String matching is very predictable, and I frequently match all kinds of things with *'s in the middle.
host=-uk--* matches LIVE-uk-web-02 perfectly.
Never had any problem with it.
Are you sure it didn't say "inefficient" - a query filled with wildcards is not as fast as something specifically defined
From which documentation is this?
From the *Splunk Fundamentals Part 2 (IOD) * course.