I have a query as follows
| inputlookup hosts.csv | table host | format
Which gives the result as follows
( ( host="abc" ) OR ( host="def" ) OR ( host="ghi" ) OR ( host="jkl" ))
Now, how to modify my current query to get the result as follows
( ( host="abc*" ) OR ( host="def*" ) OR ( host="ghi*" ) OR ( host="jkl*" ))
Is there any way that I can add the wildcard to all the host field values either by eval or regex. Please let me know if there is any possibility?
Very easy! Just do this:
| inputlookup hosts.csv
| table host
| eval host=host."*"
| format
That will append a wildcard to the end of the string in each host
field.
Very easy! Just do this:
| inputlookup hosts.csv
| table host
| eval host=host."*"
| format
That will append a wildcard to the end of the string in each host
field.
worked perfect. Thank you @elliotproebstel
So if you use
| eval name1=upper(name1)."*"
| search host=name1
This should work right?
When I look at the field values- Name is exactly correct but when I use the name1 field it doesnt work.
if I swap it out with just the value- it works.. almost like the wildcard doesnt count if its in the field.
Glad to help 🙂