With SPL2, you can use wildcards to match characters in string values. The wildcard that you use depends on the command that you are using the wildcard with. The following table describes the supported wildcards:
|where command and WHERE clause||LIKE function with the percent ( % ) symbol or underscore ( _ ) character||Use the percent ( % ) symbol to match multiple characters. Use the underscore ( _ ) character to match a single character. See the like (<str>, <pattern>) function in the list of Comparison and Conditional eval functions.|
|eval command||LIKE function with the percent ( % ) symbol or underscore ( _ ) character||Use the percent ( % ) symbol to match multiple characters. Use the underscore ( _ ) character to match a single character. See the like (<str>, <pattern>) function in the list of Comparison and Conditional eval functions.|
|All other commands||Asterisk ( * ) character||Use to match an unlimited number of characters in a string. For example,
Wildcard strings must be in quotation marks
When you use a wildcard character, the string must be enclosed in quotation marks. For example:
where like(ipaddress, "198.%")
If you specify an asterisk with no other criteria, you are asking to match everything. Yes, everything. All events are retrieved, up to the maximum limit. A search to match everything is both inefficient and time consuming. You'll use a lot of system resources, which can prevent others from running their searches. Additionally, you might wait a long time for your search results.
To avoid these problems, be as specific as you in your search criteria.
The more specific your search terms are, the more efficient your search is. Sometimes that means not using a wildcard. Searching for a specific word or phrase is more efficient than a search that uses a wildcard. For example, searching for
"access denied" is always better than searching for
Best practices for using wildcards
The best way to use a wildcard is at the end of a term.
Specify a field-value pair whenever possible to avoid searching the
raw field, which is the entire event. For example:
WHERE like(source, "license%")
When to avoid wildcard characters
There are several situations in which you should avoid using wildcard characters.
Avoid using wildcards in the middle of a string
Wildcard characters in the middle of a word or string might cause inconsistent results. This is especially true if the string contains punctuation, such as an underscore
_ or dash
For example, suppose you have the following list of product IDs.
DB-SG-G01 DC-SG-G02 MB-AG-G07 MB-AG-T01 SC-MG-G01 SF-BVS-G01 SG-SH-G05 WC-SH-A02 WC-SH-G04
You create a search that looks for all of the product IDs that begin with the letter S and end in G01.
That search will fail.
When the events with the product IDs are indexed, the product IDs are broken up into segments. For example, the product ID
SC-MG-G01 has these segments:
G01. There is no segment that starts with an S and ends with G01 which is what the search
productID="S*G01" specifies. Because there are no segments that match your search, no results are found.
A search that uses a wildcard in the middle of the term returns inconsistent results because of the way in which data that contains punctuation is indexed and searched.
To learn more about how punctuation can impact using wildcards, see Event segmentation and searching.
The solution to this problem?
- If the number of product IDs is small, specify the exact product IDs in your search rather than using a wildcard. For example:
productID="SC-MG-G01" OR productID="SF-BVS-G01"
- If the number of product IDs is large, use a lookup instead of a wildcard.
Avoid using wildcards to match punctuation
Punctuation are characters that are not numbers or letters. If you want to match part of a string that includes punctuation, specify each string with the punctuation that you are searching for.
For example, you have the following values in the
uri_path field in your events.
/cart.do /cart/error.do /cart/success.do /category.screen /oldlink /product.screen /productscreen.html /show.do /stuff/logo.ico
You want to match every
uri_path that starts with
/cart. The problem is that the paths contain a forward slash ( / ) character and period ( . ) character. Instead of specifying a wildcard character for the punctuation such as
/cart*, specify the punctuation directly in your search criteria. For example:
...uri_path="/cart.do" OR uri_path="/cart/error.do" OR uri_path="/cart/success.do"
Avoid using wildcards as prefixes
When you use a wildcard character at the beginning of a string, the search must look at every string to determine if the end of the string matches what you specify after the asterisk. Using a prefix wildcard is almost like using a wildcard by itself. Prefix wildcards might cause performance issues.
Avoid using wildcards at the beginning of search terms.
Searching for the asterisk character
You can't search for the asterisk ( * ) character directly because the character is reserved as a wildcard.
However, you can search for a term without the asterisk and then use either the
where command or the
match function to filter the results.
For example, to search for a term that contains an asterisk such as
*78, use these steps:
- First search for
78without the asterisk, which returns all events that contain the number.
- Follow that with
| where _raw="\*78"to return only those events that contain
The backslash ( \ ) is used in the regular expression to not interpret, or escape, the asterisk character.
Commands that sort results
This documentation applies to the following versions of Splunk® Cloud Services: current