Solved: search question

laughterjj · ‎09-05-2011

In the search field, I entered: source=/logs/*/*.log it matches /logs/*/*.log and /logs/*/*/*.log. I need to see only the /logs/*/*.log entries and not the /logs/*/*/*.log entries. What should I change on the "search string" ? Thanks.

Ayn · ‎09-05-2011

You're seeing log/*/*/*.log because Splunk interprets the wildcard "greedily", i.e. it will match as much as possible.

There is no way that I know of to make the wildcards non-greedy, but there are workarounds that you can use. One is to specify explicitly that you want sources that match /logs/*/*.log but not /logs/*/*/*.log:

source="/logs/*/*.log" AND NOT source="/logs/*/*/*.log"

Or you could use regex to filter results, like below.

source="/logs/*/*.log" | regex source="/logs/[^/]+/[^.]+\.log"

View solution in original post

Ayn · ‎09-05-2011

You're seeing log/*/*/*.log because Splunk interprets the wildcard "greedily", i.e. it will match as much as possible.

There is no way that I know of to make the wildcards non-greedy, but there are workarounds that you can use. One is to specify explicitly that you want sources that match /logs/*/*.log but not /logs/*/*/*.log:

source="/logs/*/*.log" AND NOT source="/logs/*/*/*.log"

Or you could use regex to filter results, like below.

source="/logs/*/*.log" | regex source="/logs/[^/]+/[^.]+\.log"

mzorzi · ‎09-05-2011

try: source="/logs//.log" NOT source="/logs///.log"

eventually with backslashes. But really you should avoid the wildcard in searches for performance reason

search question

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes