The field value in Splunk subquery fuzzy matching CSV is*

In our previous case, it is often used directly in spl of use * To fuzzy match , But if in one csv The value of a field defined in is *, And then in spl In the right direction csv When making a query , This * Whether the value also indicates fuzzy matching ？ In response to this question , The following tests were performed ：

• establish csv Test data

| makeresults
| eval student_name="T*",hometown="Zhejiang"
| fields - _time
| outputlookup student.csv
# What I want to show here is the name with T At the beginning , All the students hometown All are Zhejiang

see csv：

•   Use spl Compare the original data with csv Merge query

| makeresults
| eval student_name="Tina",age="17",hometown="Zhejiang"
| search 
    [| inputlookup student.csv
    | fields student_name hometown]
| table student_name age hometown

The student name in this data begins with , If csv Medium T* It can express fuzzy matching , Then our execution result should be that this data can be queried , If csv Medium T* Representation string "T*", Then we can't find out the result .

Execution results ：

Case1:

Case2：

  explain csv Medium T* Represents a fuzzy match .

Case3：

Case4：

Through the above test, we can get ,csv The field value in is * when , Represents a fuzzy match rather than a string .