- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Wildcard search not producing accurate results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wildcard search not producing accurate results
Hi
I am running a wild card search as i am using an input window (with the default value as a wildcard search that will produce everything). The issue is that even though all the values are set at * for wildcard when i remove these searches completely i get more events. So events are being lost and i am trying to figure out what.
sourcetype="test.csv"| eval Created=strftime(_time, "%d/%m/%Y %I:%M:%S %p") |
search Username="*" AND Hostname="*" AND Category="*" | search Status="*" | search Username="*" AND Hostname="*" AND Category="*" | search Status="Closed" OR Status="False Positive" | search UserAction="*"
| table ISCM Category Created Priority UserAction Hostname Username Subject | sort by Created
I have completed a eval Created at the start of this as the input csv is indexing the updated time and i am changing this back. So the above search i get 410 events. But if i take out | search Status="*" | search Username="*" AND Hostname="*" AND Category="*" i get over 50 more entries which is confusing.
Anything else i can do as i need these search fields so the user can pick categories, usernames, hostnames and when they dont i just want everything but something is not operating correctly. thanks C.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you remove that search filter, do you see blank values in those additional rows for field Username and/or Hostname and/or Category and/or Status? A | search Status="*" is same as | where isnotnull(Status), to it removes any event where Status field is not available (is null), so you get lesser rows (which should be correct I would say).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search Status="*" will look for events where a field called Status exists. It will not return any events that do not contain a field called Status.
So it should be expected that these options will narrow your search, unless you expect that all of the fields you're naming in that search will be present in every event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You also should move all those extra search criteria to the original search segment before the first pipe. Use parenthesis to group conditions appropriately.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
