Wildcards

To search for a substring in a search query, you should use wildcard characters. Depending on the commands, wildcard searches will have different syntax. For eval, where, like commands, the symbol % is used. The search command uses the * character. Examples of using SAF Language commands, see here.

Recommendations for using wildcard symbols

When using the * symbol, the search finds all events. This search is redundant and uses a lot of resources. It is recommended to use more specific search terms.

When not to use wildcard

When it is not recommended to use wildcard:

Using wildcard characters in the inside of a line.
Use of wildcard characters at the beginning of the search query. This can cause problems with search engine performance.

Search for the “*” symbol

Searching for the * character is not possible. This symbol is reserved as a wildcard symbol. However, you can search without the * and then use the where command or a regular expression (rex command) to filter the results.

Recommendations for using wildcard symbols​

When not to use wildcard​

Search for the “*” symbol​

Recommendations for using wildcard symbols

When not to use wildcard

Search for the “*” symbol