Solved: Re: can i use "like" in search criteria

alexl1 · ‎07-09-2013

if one of my fields is host, I want to do

host like "startswith*"

what is the syntax to do that? thanks,

JSapienza · ‎07-09-2013

Here are are a couple ways.

host=foo*
... | where like(host, "foo%")

View solution in original post

pranjal · ‎02-12-2019

whats the best way to compare with a list of items.
I am looking for something like this:
|search where NotificationEventType in ("THE_CHEESEBURGER%", "THE_HAMBURGER%", "ETC%"...)

th1agarajan · ‎05-03-2018

@bcherdak : What is the best way to exclude event that start with foo*?

your search | where NOT like(host,"foo%")

This should do the magic.

ddrillic · ‎07-03-2016

-- bcherdak, you asked - "What is the best way to exclude event that start with foo*?"

I would say - ... NOT host = "foo*"

jtacy · ‎07-03-2016

While it's probably safe to use NOT host="foo*" since the host field should always exist, I'd favor the host!="foo*" syntax; if you have a pattern you're matching on, you probably expect that field to exist in the results. Using the NOT approach will also return events that are missing the field which is probably not what most people want.

JSapienza · ‎07-09-2013

Here are are a couple ways.

host=foo*
... | where like(host, "foo%")

alexl1 · ‎07-09-2013

thanks! ...

pranjal · ‎02-12-2019

whats the best way to compare with a list of items.
I am looking for something like this:
|search where NotificationEventType in ("THE_CHEESEBURGER%", "THE_HAMBURGER%", "ETC%"...)

bcherdak · ‎07-03-2016

What is the best way to exclude event that start with foo*?

jtacy · ‎07-03-2016

If you want to exclude events where a field doesn't start with foo*, use field!="foo*".

If you want to exclude events where the event itself doesn't start with foo*, you can use _raw!="foo*".

can i use "like" in search criteria

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?