
Wildcards
Use the asterisk wildcard ( * ) character to match an unrestricted number of characters in a string. If you specify an asterisk with no other criteria, you are asking to match everything. All events are retrieved up to the maximum limit. Searching for *
as part of a string, generates matches based on that string. For example:
my*
matchesmyhost1
,myhost.ny.mydomain.com
,myeventtype
, and so on.*host
matchesmyhost
,yourhost
, and so on.*host*
matcheshost1
,myhost3
,yourhost27.yourdomain.com
, and so on.
The more specific your search terms are to the events that you want to retrieve, the better chance you have of matching the terms. For example, searching for access denied
is always better than searching for denied
. If 90% of your events have the word error
but only 5% have the word sshd
, and the events that you want to find require both of these words, include sshd
in the search to make it more efficient.
When to avoid wildcard characters
There are several situations in which you should avoid using wildcard characters.
Avoid using wildcards in the middle of a string
Wildcard characters in the middle of a word or string might cause inconsistent results. This is especially true if the string contains punctuation, such as an underscore _
or dash -
character.
For example, suppose you have the following list of product IDs.
DB-SG-G01 DC-SG-G02 MB-AG-G07 MB-AG-T01 SC-MG-G01 SF-BVS-G01 SG-SH-G05 WC-SH-A02 WC-SH-G04
You create a search that looks for all of the product IDs that begin with the letter S and end in G01.
...productID=S*G01 ...
Because the product IDs contain punctuation, the search results might be inconsistent because of the way in which data that contains punctuation is indexed.
If the number of product IDs is small, specify the exact product IDs in your search. For example:
...productID=SC-MG-G01 OR productID=SF-BVS-G01 ...
If the number of product IDs is large, use a lookup. See About lookups and work flow actions.
Avoid using wildcards to match punctuation
Punctuation are characters that are not numbers or letters. If you want to match part of a string that includes punctuation, specify each string with the punctuation that you are searching for.
For example, you have the following values in the uri_path
field in your events.
/cart.do /cart/error.do /cart/success.do /category.screen /oldlink /product.screen /productscreen.html /show.do /stuff/logo.ico
You want to match every uri_path
that starts with /cart
. The problem is that the paths contain a forward slash ( / ) character and period ( . ) character. Instead of specifying a wildcard character for the punctuation such as /cart*
, specify the punctuation directly in your search criteria. For example, specify /cart.do OR /cart/error.do OR /cart/success.do
.
Prefix wildcards might cause performance issues
When you use a wildcard character at the beginning of a string, performance degradation might occur.
PREVIOUS Search command primer |
NEXT Boolean expressions |
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0
Feedback submitted, thanks!