Solved: How do you match the exact wild card in the follow...

Kwip · ‎11-23-2018

Hi All,

I am using a form where I will get input for one field and produce results using it. The input may contain wild cards sometimes.

Here is the issue when the input contains a wild card.

Example:

Input field Name - SampleName
 SampleName - Jobname.id.*.runtime

When using the above search, I only want to match the events that contains below:

 Jobname.id.12345.runtime
 Jobname.id.34521.runtime
 Jobname.id.87645.runtime

But I am getting some more matching events including the said ones.

Jobname.id.12345.runtime - Needed
 Jobname.id.34521.runtime - Needed
 Jobname.id.87645.runtime - Needed
 Jobname.id.87645.turn1.runtime - Not Needed
 Jobname.id.12345.turn2.runtime - Not needed
 Jobname.id.87645.trn.runtime - Not Needed.

Please help me to fine tune my query to only match the events I need.

Richfez · ‎11-25-2018

The question as asked, if I'm reading this correctly, is that you want to match certain results, but not others. The ones you want to match are have only digits in that middle piece, no extra "words" or other things.

You didn't provide the initial base search, so I just have to "lorem ipsum" it.

One way is to build a more specific matching string.

... base search here
| rex field=SampleName "(?<isneeded>Jobname\.id\.\d+\.runtime)"
| search isneeded="*"

The idea is that the rex will only define the field isneeded if the overall regular expression fits, and that regex is the specific words (with escaped periods!) of "Jobname.id." followed by \d+ which is one or more digits, followed by ".runtime". So if there's extra non-digits in there somewhere, it won't match anything, and thus isneeded will not be a field in that event. LAstly, we just search where isneeded got defined.

You could also use that same, or a similar, search in match which maybe is more clear:

... base search here
| eval matches = if(match(SampleName,"Jobname\.id\.\d+\.runtime"), 1, 0)
| search matches=1

(That last was pulled nearly verbatim out of the documentation.)

I hope this helps!

Happy Splunking,
Rich

View solution in original post

woodcock · ‎11-26-2018

It is not possible; the best that you can do is something like this:

index=YouShoulAlwaysSpecifyAnIndex sourcetype=AndSourcetypeToo SampleName = Jobname.id.*.runtime
| where match(SampleName, "^Jobname\.id\.\d+\.runtime$")

Richfez · ‎11-25-2018

The question as asked, if I'm reading this correctly, is that you want to match certain results, but not others. The ones you want to match are have only digits in that middle piece, no extra "words" or other things.

You didn't provide the initial base search, so I just have to "lorem ipsum" it.

One way is to build a more specific matching string.

... base search here
| rex field=SampleName "(?<isneeded>Jobname\.id\.\d+\.runtime)"
| search isneeded="*"

The idea is that the rex will only define the field isneeded if the overall regular expression fits, and that regex is the specific words (with escaped periods!) of "Jobname.id." followed by \d+ which is one or more digits, followed by ".runtime". So if there's extra non-digits in there somewhere, it won't match anything, and thus isneeded will not be a field in that event. LAstly, we just search where isneeded got defined.

You could also use that same, or a similar, search in match which maybe is more clear:

... base search here
| eval matches = if(match(SampleName,"Jobname\.id\.\d+\.runtime"), 1, 0)
| search matches=1

(That last was pulled nearly verbatim out of the documentation.)

I hope this helps!

Happy Splunking,
Rich

Kwip · ‎12-02-2018

Thank you @rich7177. It is working fine.

How do you match the exact wild card in the following search string?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life