In the search field, I entered: source=/logs/*/*.log
it matches /logs/*/*.log
and /logs/*/*/*.log
. I need to see only the /logs/*/*.log
entries and not the /logs/*/*/*.log
entries. What should I change on the "search string" ? Thanks.
You're seeing log/*/*/*.log
because Splunk interprets the wildcard "greedily", i.e. it will match as much as possible.
There is no way that I know of to make the wildcards non-greedy, but there are workarounds that you can use. One is to specify explicitly that you want sources that match /logs/*/*.log
but not /logs/*/*/*.log
:
source="/logs/*/*.log" AND NOT source="/logs/*/*/*.log"
Or you could use regex
to filter results, like below.
source="/logs/*/*.log" | regex source="/logs/[^/]+/[^.]+\.log"
You're seeing log/*/*/*.log
because Splunk interprets the wildcard "greedily", i.e. it will match as much as possible.
There is no way that I know of to make the wildcards non-greedy, but there are workarounds that you can use. One is to specify explicitly that you want sources that match /logs/*/*.log
but not /logs/*/*/*.log
:
source="/logs/*/*.log" AND NOT source="/logs/*/*/*.log"
Or you could use regex
to filter results, like below.
source="/logs/*/*.log" | regex source="/logs/[^/]+/[^.]+\.log"
try: source="/logs//.log" NOT source="/logs///.log"
eventually with backslashes. But really you should avoid the wildcard in searches for performance reason