Solved: Is there any workaround in Splunk to make a star t...

pavanae · ‎10-11-2017

I have some fields as follows

sql="Select * from & ABC"
sql="Select * from xyz.ABC"
sql="Select * from gh2_ABC"
sql="Select * from 34,rABC"
sql="Select * from xyz.gfr"

Now I am trying to work on an event type as follows

eventtype name :- test

sourcetype="web" sql="Select * from *ABC"

And now I want to consider the first star as a constant and the second star as a wild card. Is there any workaround in Splunk to make a star to be considered as constant instead of wild card?

DalJeanis · ‎10-11-2017

In search, an asterisk is a wildcard. There is no workaround.

In a regex, an asterisk can be either a repeater, or it can be escaped \* to be a plain asterisk.

When using | like(), asterisk is a regular character and % is a wildcard.

View solution in original post

cpetterborg · ‎10-11-2017

As far as I know there is no base search (with the search command) that will make a * be a constant. But you can use the regex command to do an asterisk as a constant. For example, the following works to find the asterisk as an asterisk:

| makeresults 
| eval raw="sql=\"Select from & ABC\"
sql=\"Select from xyz.ABC\"
sql=\"Select * from xyz.gfr\""
|  makemv raw delim="
"  | mvexpand raw 
|  rename raw as _raw 
|  regex "Select \*"

If you change the regex to search, you will get all three events, instead of just one. Hopefully this is something that you can use in your application.

DalJeanis · ‎10-11-2017

In search, an asterisk is a wildcard. There is no workaround.

In a regex, an asterisk can be either a repeater, or it can be escaped \* to be a plain asterisk.

When using | like(), asterisk is a regular character and % is a wildcard.

Is there any workaround in Splunk to make a star to be considered as constant instead of wild card?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life