Hello all,
I am new to Splunk, so please excuse any gaps in my knowledge :).
I am trying to create customized alerts based on hostname filtering. The issue at hand can be described very simply, when creting any query for an alert condition the results provide a return for all hosts meeting the criteria, But when I try to filter on a broader range(wildcards), I receive no results. The queries work when either providing a specific host, or no host at all, wildcard hosts give no results.
index=* `alerting_filesystem_usage`
This gives the results in the first screenshot.
index=* `alerting_filesystem_usage` | where host='*72*'
This or any variation of the wildcard returns no results. Can someone please provide some guidance, as I cannot find any logic behind the behavior.
Hi,
Please try below queries, when you use where
you can't use *
instead you need to use %
for wildcard in where like()
index=* `alerting_filesystem_usage` | search host='*72*'
OR
index=* `alerting_filesystem_usage` | where like(host, "%72%")
Hi,
Please try below queries, when you use where
you can't use *
instead you need to use %
for wildcard in where like()
index=* `alerting_filesystem_usage` | search host='*72*'
OR
index=* `alerting_filesystem_usage` | where like(host, "%72%")
WOW, you are a genius, thank you! Just FYI, only your second suggestion does return results.
index=* `alerting_filesystem_usage` | search host='*72*'
Does not seem to work BUT this works like a charm
index=* `alerting_filesystem_usage` | where like(host, "%72%")
Can you please try below query?
index=* `alerting_filesystem_usage` | search host="*72*"
Yes, the quotes seem to be the issue,all this is very valuable info indeed 🙂
yw ..... 🙂