Hi,
I have TYPE field, that have a value of *, **, ***.
When I'm trying to |search TYPE="*" (all of the events will be shown, all of the values)
and when I use |regex TYPE="\*" (all of the *,**,** will be shown.)
I need help for searching * ,**, *** in a specific field..
Thank you.
You can also do something like this:
| eval has_asterisks=if(like(field, "%*%"), 1, 0)
| where has_asterisks=1
Welp, just came across your question and was wondering the same thing, not great news:
Splunk SPL uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/SPLandregularexpressions
We just tried this, and indeed you can use "" in a `where fieldname=""` query, and it will work. No backslash required.
Try something like this
your base search | where TYPE="*" ***to filter rows with TYPE=*
your base search | where TYPE="***" ***to filter rows with TYPE=***