Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Wildcards

You can use the asterisk ( * ) character as a wildcard to match an unlimited number of characters in a string. For example, my* matches myhost1 and myhost.ny.mydomain.com.

Be efficient

If you specify an asterisk with no other criteria, you are asking to match everything. Yes, everything. All events are retrieved, up to the maximum limit. A search to match everything is both inefficient and time consuming. You'll use a lot of system resources, which can prevent others from running their searches. Additionally, you might wait a long time for your search results.

To avoid these problems, be as specific as you can when you specify your search criteria.

Be specific

The more specific your search terms are, the more efficient your search is. Sometimes that means not using a wildcard. Searching for a specific word or phrase is more efficient than a search that uses a wildcard. For example, searching for "access denied" is always better than searching for *denied.

When to avoid wildcard characters

There are several situations in which you should avoid using wildcard characters.

Avoid using wildcards in the middle of a string

Wildcard characters in the middle of a word or string might cause inconsistent results. This is especially true if the string contains punctuation, such as an underscore _ or dash - character.

For example, suppose you have the following list of product IDs.

DB-SG-G01
DC-SG-G02
MB-AG-G07
MB-AG-T01
SC-MG-G01
SF-BVS-G01
SG-SH-G05
WC-SH-A02
WC-SH-G04

You create a search that looks for all of the product IDs that begin with the letter S and end in G01.

productID="S*G01"

Because the product IDs contain punctuation, the search results might be inconsistent because of the way in which data that contains punctuation is indexed. To learn more about why punctuation can impact wildcard use, see Event segmentation and searching.

If the number of product IDs is small, it is more efficient to specify the exact product IDs in your search rather than using a wildcard. For example:

productID="SC-MG-G01" OR productID="SF-BVS-G01"

If the number of product IDs is large, use a lookup. See About lookups and work flow actions.

Avoid using wildcards to match punctuation

Punctuation are characters that are not numbers or letters. If you want to match part of a string that includes punctuation, specify each string with the punctuation that you are searching for.

For example, you have the following values in the uri_path field in your events.

/cart.do	
/cart/error.do	
/cart/success.do
/category.screen		
/oldlink
/product.screen	
/productscreen.html
/show.do	
/stuff/logo.ico	


You want to match every uri_path that starts with /cart. The problem is that the paths contain a forward slash ( / ) character and period ( . ) character. Instead of specifying a wildcard character for the punctuation such as /cart*, specify the punctuation directly in your search criteria. For example,

...uri_path="/cart.do" OR uri_path="/cart/error.do" OR uri_path="/cart/success.do"

.

Avoid using wildcards as prefixes

When you use a wildcard character at the beginning of a string, the search must look at every string to determine if the end of the string matches what you specify after the asterisk. Using a prefix wildcard is almost like using a wildcard by itself. Prefix wildcards might cause performance issues.

Avoid using wildcards at the beginning of search terms.

PREVIOUS
Search command primer
  NEXT
Boolean expressions

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters