Supplementing wildcards in fields

Given the following events, a search for world would return both events:

2012-02-07T01:04:31.102-0600 INFO AuthClass Hello world. [user=Bobby, ip=1.2.3.3] 
2012-02-07T01:23:34.204-0600 INFO BarClass Goodbye. [user=Bobby, ip=1.2.3.3, message="Out of this world"] 

What if you only wanted the second event but all you know is that the event contains world somewhere in the field message? The query message="*world*" would work but it is very inefficient, because Splunk must scan every event looking for *world, and then determine whether world is present in the field message.

You can take advantage of the behavior mentioned earlier—wildcards are tested last. Rewriting the query as world message="*world*" gives Splunk a chance to find all the records with world, and then inspect those events for the more specific wildcard condition.