Refine your search:

literal * in search?

3

Is it possible to search for a literal * character? If I had a string in a log that read "hi*there", and I wanted to search for it specifically

asked 24 Aug '11, 11:02

caphrim007's gravatar image

caphrim007
19510
accept rate: 50%

2 Answers:
oldestnewestmost voted
4

Using the search language to search for a literal * is currently unsupported. One workaround is to disable "*" as wildcard and then you can search for it as a literal, but but then you no longer have any wildcard capabilities; which was unacceptable to me to so I didn't peruse that option with Splunk support.

This is listed on the "Known Issues" page as follows:

There is no way to escape an asterisk (*) in the search language. (SPL-30079)

Just to be clear, you can filter for a "*" using a post-processing search command (e.g. by using rex like in the answer above), but you can't actually search for one in your actual search.

link

answered 24 Aug '11, 12:36

Lowell's gravatar image

Lowell ♦
9.6k637
accept rate: 40%

edited 24 Aug '11, 12:38

1

The first thing that comes to mind is a regular expression. I tried the following and it seems to work:

| rex field=_raw "(?<myLiterals>\w*\*\w*)"

The values of any data with "*" inside them at any point will be stored in the field "myLiterals". Did you only want the values, or did you also want the location of these values?

link

answered 24 Aug '11, 11:46

acdevlin's gravatar image

acdevlin
27715
accept rate: 37%

Ideally I'd like to just have splunk return events like it normally does with the highlighting of what it matched on inline vs extracting the data with rex.

The string I'm searching for is part of a much larger query, so piping to rex would only extract that particular string.

(24 Aug '11, 11:52) caphrim007

Ah, I see.

In that case, we could use "regex" instead, which will only keep events that match the regular expression.

| regex _raw="\w*\*\w*"

Is this closer to what you're after?

(24 Aug '11, 12:07) acdevlin
3

you will want to do "hi" "there" | regex _raw="hi\*there", since that will first use the index to return only events containing "hi" and "there", then further filter down to items containing the exact string you're looking for.

(24 Aug '11, 12:39) gkanapathy ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×334

Asked: 24 Aug '11, 11:02

Seen: 402 times

Last updated: 24 Aug '11, 12:39

Related questions

Search Language variable for search duration

splunk search language

are search language *keywords* case-sensitive?

On the Fly KV Generation for Search Language Testing

Search help - need sub search to return time and host value for new search

In a Distributed Search environment, how do I restrict what indexes (or sources) the Search head sees on the Search Peer?

Can a search be terminated prematurely based on a condition established within that search?

How do force a search to finish before invoking a custom search command?

How to use "Intention" to add search clauses after the "base search string"

Copyright © 2005-2012 Splunk, Inc. All rights reserved.