Re: How to search for "*" (asterisk) values in a f...

kendelar · ‎04-05-2016

Hi,

I have TYPE field, that have a value of *, **, ***.

When I'm trying to |search TYPE="*" (all of the events will be shown, all of the values)
and when I use |regex TYPE="\*" (all of the *,**,** will be shown.)

I need help for searching * ,**, *** in a specific field..

Thank you.

johnebgood · ‎11-15-2019

You can also do something like this:

| eval has_asterisks=if(like(field, "%*%"), 1, 0)
| where has_asterisks=1

ElijahLynn · ‎02-21-2018

Welp, just came across your question and was wondering the same thing, not great news:

Splunk SPL uses the asterisk ( * ) as a wildcard character. The backslash cannot be used to escape the asterisk in search strings.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/SPLandregularexpressions

sleepingstarfir · ‎08-01-2019

We just tried this, and indeed you can use "" in a `where fieldname=""` query, and it will work. No backslash required.

somesoni2 · ‎04-05-2016

Try something like this

your base search | where TYPE="*"                  ***to filter rows with TYPE=*
your base search | where TYPE="***"                  ***to filter rows with TYPE=***

How to search for "*" (asterisk) values in a field?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases