Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add "LIKE" instead of "=" and add wildcard to search?

amandaxtru
Engager
‎07-13-2016 07:51 AM 
 <title>Routers</title>

| dbquery "routerdb" "SELECT DEVICE_LOC FROM routerdb.LKP_LOCATION_EDITED WHERE METRO_CITY LIKE '%Philadelphia%'"

| stats count by DEVICE_LOC
| fields - count
| rename DEVICE_LOC AS ROUTER

| format

Outputs: ( ( ROUTER="PHIL" ) OR ( ROUTER="PHL02" ) OR ( ROUTER="PHL23" ) OR ( ROUTER="PHL24" ) OR ( ROUTER="PHL6" ) OR ( ROUTER="PHL8" ) OR ( ROUTER="PHLAPA" ) )

How would I make it so it would be like (ROUTER LIKE "PHIL%") with the "%" wildcard? I'm trying to use these router prefixes to find all routers with that prefix. Thanks in advance!

0 Karma
Reply

sundareshr
Legend
‎07-13-2016 12:47 PM

Like this

| dbquery "routerdb" "SELECT DEVICE_LOC FROM routerdb.LKP_LOCATION_EDITED WHERE METRO_CITY LIKE '%Philadelphia%'" 
| stats count by DEVICE_LOC
| fields - count 
| eval ROUTER=DEVICE_LOC."%"
| fields ROUTER
| format
| eval search=replace(search, "=", " LIKE ")
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...