Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Wildcards on the left side of a comparison

jerdmann
Path Finder
‎01-07-2014 07:49 AM

Is there any way to use a wildcard on the left side of a comparison in a Splunk search? We have a scripted input that returns physical drive status across many systems, and the results look like this:

hostname=some_hostname physDrv1=ok physDrv2=ok physDrv3=ok physDrv4=failed

Is there any way to search for events that have any non-OK lines like below? This apparently doesn't work and I haven't found anything in the Splunk documentation. 

sourcetype=drive_status | where physDrv*!="ok"

For now, we just hardcode every possible drive property in the search like below and it works fine, but it would be cool to write a more elegant search if possible. Let me know what you think. Thanks for the help!

sourcetype=drive_status | where physDrv1!="ok" OR physDrv2!="ok" OR physDrv3!="ok" OR physDrv4!="ok"
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎01-07-2014 08:06 AM

Try following

index=blah sourcetype=blah NOT "physDrv*=ok" | <do more>

UPDATED Search

Try this

index=blah sourcetype=blah | rex max_match=0 "(?m)physDrv[0-9]*=(?<drive_status>[^ ]+)" | nomv drive_status | eval drive_status=replace(drive_status,"ok","") | where drive_status!=""

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎01-07-2014 08:06 AM

Try following

index=blah sourcetype=blah NOT "physDrv*=ok" | <do more>

UPDATED Search

Try this

index=blah sourcetype=blah | rex max_match=0 "(?m)physDrv[0-9]*=(?<drive_status>[^ ]+)" | nomv drive_status | eval drive_status=replace(drive_status,"ok","") | where drive_status!=""
Reply
Solved! Jump to solution

jerdmann
Path Finder
‎01-07-2014 11:29 AM

Perfect, works like a treat! I had to modify the above slightly (see below), but this is otherwise exactly what I needed. Thanks a ton!

rex max_match=0 "(?m)physDrv[0-9]+=(?[\w]+)" | nomv drive_status | eval drive_status=replace(drive_status,"ok\s*","") | where drive_status!=""

Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎01-07-2014 08:58 AM

Please see if the updated answer works.

0 Karma
Reply
Solved! Jump to solution

jerdmann
Path Finder
‎01-07-2014 08:32 AM

Hmmm, no dice here either. This filters out all events that an OK in any of the drives/properties, similar to the above suggestion.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-07-2014 07:59 AM

You could try:

sourcetype=drive_status NOT "ok" | your stats or table

But you have to be careful how you use it because it will ignore "ok" regardless of the field. In your example, it looks like ignoring "ok" will not be a problem.

0 Karma
Reply
Solved! Jump to solution

jerdmann
Path Finder
‎01-07-2014 08:02 AM

Cool, thanks for the feedback. I'm not sure if this will work though, as it looks like this filters out all events that have the text "ok" anywhere in them.

I gave it a shot and it filters out all results which obviously isn't what we want. Thanks for the suggestion though!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...