Using wildcards in a search string

andybeh · ‎07-03-2014

Hi All,

Can someone please explain how I use a wildcard character in the middle of a search string? For example, if I want find all gmail addresses that start with the letter 'a', I thought I could search for emailaddress="a*@gmail.com, however this returns all records. I guess I have to use a regex but my knowledge hasn't reached that level yet so I am struggling with this one.

Cheers

AB

gopala · ‎03-15-2016

Is not working for me either.

I tried
index=my_index | regex my_field="^my*.value.com"

and it is not finding anything even I

Where it should match
my1.value.com
my2.value.com
my100.value.com
etc....

rsennett_splunk · ‎07-03-2014

other than the fact that you are missing a closing double quote in your example. That will work fine.
Is that a typo?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

laithmurad · ‎07-03-2014

Hi AB,

Strange, I just tried you're search query emailaddress="a*@gmail.com" and it worked to filter emails that starts with an a, wildcards should work like you expected.

Alternatively use the regex command to filter you're results, for you're case just append this command to you're search.

| regex emailaddress="^a.*@gmail.com"

This will find all emails that starts with an "a" and ends with "@gmail.com"

Using wildcards in a search string

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success