Splunk Search

literal * in search?

caphrim007
Path Finder

Is it possible to search for a literal * character? If I had a string in a log that read "hi*there", and I wanted to search for it specifically

Tags (1)
1 Solution

Lowell
Super Champion

Using the search language to search for a literal * is currently unsupported. One workaround is to disable "*" as wildcard and then you can search for it as a literal, but but then you no longer have any wildcard capabilities; which was unacceptable to me to so I did peruse that option with Splunk support.

This is listed on the "Known Issues" page as follows:

There is no way to escape an asterisk (*) in the search language. (SPL-30079)

Just to be clear, you can filter for a "*" using a post-processing search command (e.g. by using rex like in the answer above), but you can't actually search for one in your actual search.

View solution in original post

Lowell
Super Champion

Using the search language to search for a literal * is currently unsupported. One workaround is to disable "*" as wildcard and then you can search for it as a literal, but but then you no longer have any wildcard capabilities; which was unacceptable to me to so I did peruse that option with Splunk support.

This is listed on the "Known Issues" page as follows:

There is no way to escape an asterisk (*) in the search language. (SPL-30079)

Just to be clear, you can filter for a "*" using a post-processing search command (e.g. by using rex like in the answer above), but you can't actually search for one in your actual search.

acdevlin
Communicator

The first thing that comes to mind is a regular expression. I tried the following and it seems to work:

| rex field=_raw "(?<myLiterals>\w*\*\w*)"

The values of any data with "*" inside them at any point will be stored in the field "myLiterals". Did you only want the values, or did you also want the location of these values?

gkanapathy
Splunk Employee
Splunk Employee

You can use

"complex search" | where searchmatch("complex search") OR match("\*",_raw)

ben363
Path Finder

what if I want to search for
"complex search" OR "hi*there"?

I don't want to have to embed complex search into a regex just to filter for literal asterixes.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

you will want to do "hi" "there" | regex _raw="hi\*there", since that will first use the index to return only events containing "hi" and "there", then further filter down to items containing the exact string you're looking for.

acdevlin
Communicator

Ah, I see.

In that case, we could use "regex" instead, which will only keep events that match the regular expression.

| regex _raw="\w*\*\w*" 

Is this closer to what you're after?

caphrim007
Path Finder

Ideally I'd like to just have splunk return events like it normally does with the highlighting of what it matched on inline vs extracting the data with rex.

The string I'm searching for is part of a much larger query, so piping to rex would only extract that particular string.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...