First, some house cleaning: You posted two nearly identical topics. This one appears to be more specific in subject. Could you delete https://community.splunk.com/t5/Splunk-Search/searching-for-specific-result/m-p/659465#M227694, then? Second, you need to give enough context for a person with no context about your environment, dataset, etc., to understand what difficulty you face, what attempts you have made with what result. Do not assume that volunteers are mind-readers. For example, and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start Never mind the problem. I tail to see any problem of putting system_id in a token as discrete values. For one, system_id starts with AA-1, but there is no asterisk ('*') in any of the examples. If I use <your initial search> | stats count by system_id to populate $mytoken$, none of the values will have wildcard. Your problem statement implies that you populate $mytoken$ either with fixed strings including AA-1*, AA-10*, etc., or you populate $mytoken$ with a search like my example, but manipulate the results in a way the adds wildcard to certain positions. Another person would have no way of knowing why you populate $mytoken$ with AA-1* instead of AA-1-*, for example. Then, there is a question of use of said token. Do you use it in a search command? A where command? A match function? A different part of an eval expression? Each of these can work with a string differently. Can you explain how that wildcard character gets into your token values and how you token is used?
... View more