Solved: Does wildeward search in source attribute work?

mkelderm · ‎03-12-2013

I assume that searching with source=* should work? What could be the reason that this query works:

index=prd_stats sourcetype=appman:*

Results:

12/03/2013 12:15:46.000 ResponseTimems=101
host=l2-iamprdagw04.nl.rsg sourcetype=appman:Script source=heartbeat-randstadnet@l2-iamprdagw04

And this not:

index=prd_stats sourcetype=appman:* source=heartbeat*

no results...

bmacias84 · ‎03-12-2013

You search has implied AND. Splunk inserts AND between search terms.

This is what your search is accutually.



index=prd_stats AND sourcetype=appman:* AND source=heartbeat*

This is what I think you trying to do



index=prd_stats AND (sourcetype="appman:*" OR source="heartbeat*")

OR

index=prd_stats AND sourcetype="appman:*" AND source="heartbeat*"

To avoid confusion I explictly define all my boolean search operators.

Additional Reading:

Hope this helps or gets you started. If it does help dont forget to accept and/or vote up.

Cheers,

bmacias84 · ‎03-12-2013