- Implementing Splunk 7(Third Edition)
- James D. Miller
- 128字
- 2021-08-27 19:42:28
Supplementing wildcards in fields
Given the following events, a search for world would return both events:
2012-02-07T01:04:31.102-0600 INFO AuthClass Hello world. [user=Bobby, ip=1.2.3.3] 2012-02-07T01:23:34.204-0600 INFO BarClass Goodbye. [user=Bobby, ip=1.2.3.3, message="Out of this world"]
What if you only wanted the second event but all you know is that the event contains world somewhere in the field message? The query message="*world*" would work but it is very inefficient, because Splunk must scan every event looking for *world, and then determine whether world is present in the field message.
You can take advantage of the behavior mentioned earlier—wildcards are tested last. Rewriting the query as world message="*world*" gives Splunk a chance to find all the records with world, and then inspect those events for the more specific wildcard condition.