I would like to search for a * in my searchresult, more specific i would like to get all entries that is "select *" the problem is that Splunk thinks i would like to use the * as a wildcard.
How can I do to get this to work?
As there is no way to escape the asterisk character, you can do such a search using the regex command:
"select" | regex _raw="(?i)select\s+\*"
This is quite inefficient though. You should try to narrow the search before the regex command as much as you can. ie. specify host(s), source(s), sourcetype(s) etc.
sourectype=sql_log host=dbserver1 "select" | regex ...
As there is no way to escape the asterisk character, you can do such a search using the regex command:
"select" | regex _raw="(?i)select\s+\*"
This is quite inefficient though. You should try to narrow the search before the regex command as much as you can. ie. specify host(s), source(s), sourcetype(s) etc.
sourectype=sql_log host=dbserver1 "select" | regex ...