I have a defined field that I'm trying to perform searches against with wild cards, so given the texts:
And the following searches should return the specified item:
my_field="*text2search"
--> #3my_field="*text2search*"
--> #1, 2, 3my_field="text2search*"
--> #1But A and C actually return nothing. How would I get this to work like I expect it?
Thanks!
To backup the answer from Stephen Sorkin, I've had a similar problem with searches using wildcards, and found it was resolved through putting the wildcard query after | search
The link between my situation and that of the original poster I think is segmentation startegy. I've come across this problem when experimenting with using outer segmentation. Are issues with wildcard searches in this way related to disabling full segmentation?
This should normally work, and its failure probably has something to do with the heuristic of looking for the value in the index. The first check to make is to not put the field comparison in the initial part of the search. Does a search for just *text2search
yield all the results that should match your field search. Another way is instead of:
my_field="*text2search"
Try:
* | search my_field="*text2search"
Great questions. Let me clarify them:
How is the field my_field actually extracted?
It is extracted via a regex in transforms.conf, and it can be "a sentence like this". Segmentation is set to inner for the source.
Are there actually spaces delimiting both sides of text2search (and blah) in all cases?
Not in terms of my example; I meant for "text2search" to mean exactly a word.
Is text2search actually just a word without internal spaces or punctuation?
Yes.
Does the search work if you don't specify my_field but just search for text2search (or *text2search or whatever)?
Not exactly. It seems for a past 24 hour search I get the same result for *text2search, text2search, text2search*, text2search.
Are you running these searches from the Splunk GUI?
Yes, tried that to verify against programmatic searches, which have the same results
Please add your clarifications to your original post (use the "edit" link) instead of adding a new "answer" like this.
gkanapathy raises good questions. If the below search works for case A then perhaps the field extraction may need to be tweaked to remove leading/trailing spaces or tabs.
my_field="*text2search*" | eval my_field=trim(my_field) | search my_field="*text2search"
How is the field my_field
actually extracted? Are there actually spaces delimiting both sides of text2search
(and blah
) in all cases? Is text2search
actually just a word without internal spaces or punctuation? Does the search work if you don't specify my_field
but just search for text2search
(or *text2search
or whatever)? Are you running these searches from the Splunk GUI?