Re: need to search for asterisk C asterisk in splu...

alexl1 · ‎05-21-2013

hi, how do I search for asterisk C asterisk in splunk, in other words C

when I put that as the search criteria it returns all C's and things * is a wildcard. I tried backslash and double asterisk but those didn't work either. Thanks,

linu1988 · ‎08-27-2014

Hello,
Could you try this?

...|eval result=if(match(_raw," C "),"True","False")|...

OR

...|eval result=if(match(_raw,"\sC\s"),"True","False")|...

Thanks,
L

894859 · ‎08-27-2014

I use evals to search my * values as needed. As an example if you are searching against savedsearches, you will see the cron_schedule of a saved search which will most likely include asterisks. I would think this would also work in your situation:

| eval containsAsterisk=if(_raw LIKE "%C*%", "Yes", "No")
| search containsAsterisk=Yes

mahlerrd · ‎05-21-2013

Markup fixes: that's backslash asterisk C backslash asterisk.

alexl1 · ‎05-21-2013

yeah tried that, didn't help

mahlerrd · ‎05-21-2013

I don't have any asterisks to confirm with, but have you tried working it around like the following?

 regex _raw="*"

I believe you'll want, specifically, "*C*" but I'm not a regex expert. 😞

I found this here http://splunk-base.splunk.com/answers/13442/how-do-i-search-for-the-character

I_am_Jeff · ‎05-21-2013

I found this. Might be helpful. "Search for * in log"
http://splunk-base.splunk.com/answers/34250/search-for-in-log

need to search for asterisk C asterisk in splunk

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

need to search for asterisk C asterisk in splunk

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases