Using wildcards efficiently

Though the index is based on words, it is possible to use wildcards when needed, albeit a little carefully. Take a look at some interesting facts about wildcards:

• Only trailing wildcards are efficient: Stated simply, bob* will find events containing Bobby efficiently, but *by or *ob* will not. The latter cases will scan all events in the time frame specified.
• Wildcards are tested last: Wildcards are tested after all other terms. Given the search: authclass *ob* hello world, all other terms besides *ob* will be searched first. The more you can limit the results using full words and fields, the better your search will perform.

Supplementing wildcards in fields

Given the following events, a search for world would return both events:

2012-02-07T01:04:31.102-0600 INFO AuthClass Hello world. [user=Bobby, ip=1.2.3.3]
2012-02-07T01:23:34.204-0600 INFO BarClass Goodbye. [user=Bobby, ip=1.2.3.3, message="Out of this world"]

What if you only wanted the second event, but all you know is that the event contains world somewhere in the field message? The query message="*world*" would work but is very inefficient because Splunk must scan every event looking for *world, and then determine whether world is in the field message.

You can take advantage of the behavior mentioned earlier—wildcards are tested last. Rewriting the query as world message="*world*" gives Splunk a chance to find all the records with world, and then inspect those events for the more specific wildcard condition.