Wildcards

To search for a substring in a search query, you should use wildcard characters. Depending on the commands, wildcard searches will have different syntax. For eval, where, like commands, the symbol % is used. The search command uses the * character. Examples of using Smart Monitor Language commands, see article.

Recommendations for using wildcard symbols

When specifying the * character, the search engine will extract events using a greedy algorithm, meaning all events will be returned. Such a search is excessive and consumes significant cluster resources. To avoid such problems, it is necessary to perform specific searches; the more precise the search query, the more efficiently the search engine operates.

When not to use wildcard

There are several situations where the use of wildcards should be avoided:

• using wildcard characters in the middle of a string. Characters in the middle of a word or string can lead to ambiguous results

• using wildcard characters at the beginning of search query conditions, as their use can cause performance issues for the search engine

Search for the “*” symbol

Searching for the * character is not possible. This symbol is reserved as a wildcard symbol. However, you can search without the * and then use the where command or a regular expression (rex command) to filter the results.