topic Re: How to specify field type value in search query? in Getting Data In

How to specify field type value in search query?

lsy9891 — Thu, 05 Sep 2019 07:44:31 GMT

Hi,

I have a field type "Source" and I want to filter the events by source="Ebiz.Order20" etc. . I tried AND source="Ebiz.Order20" which returned no results even though there are events where the field has that value. I also tried extracting the field using this source"(?<Application>)" but it returned nothing?

Re: How to specify field type value in search query?

gcusello — Thu, 05 Sep 2019 08:05:02 GMT

Hi lsy9891,
if your field source has values like "blah/blah/Ebiz.Order20" you can use jollyh chars in your search:

index=my_index source="*Ebiz.Order20"

or you can extract a new field using rex command and use it for searches:

index=my_index
| rex field=source ".*\/(?<my_source>.*)"
| search my_source="Ebiz.Order20"

Bye.
Giuseppe

Re: How to specify field type value in search query?

hunderliggur — Thu, 05 Sep 2019 23:35:14 GMT

Every Splunk event has a field called "source" (and "sourcetype, _time, host, etc.) Is this the Splunk generated source value whichis typically a file path like /foldera/folderb/filename.ext ans as @gcusello says you would search with source="*filename.ext"

If you are extracxting your own "source" I would definitely use some other field name to avoid conflicts with the Splunk fields.

I am not sure what you have before AND source= but a typical search would be something like:

index=my_index source="*filename.ext"

Re: How to specify field type value in search query?

lsy9891 — Fri, 06 Sep 2019 02:42:12 GMT

My source field looks like this:

Source: Monster.Ebiz.Order20.Services? So why can't I specify it directly?

Re: How to specify field type value in search query?

hunderliggur — Fri, 06 Sep 2019 03:15:08 GMT

@lsy9891 Monster.Ebiz.Order20.Services is not the same as Ebiz.Order20

You would need to match on “Ebiz.Order20” , very much like @gcusello originally suggested not knowing there were training characters in the field also.

Re: How to specify field type value in search query?

gcusello — Fri, 06 Sep 2019 06:59:45 GMT

Hi lsy9891,
let me understand:

you have a source like "Monster.Ebiz.Order20.Services",
you want to search by a part of this field "Ebiz.Order20",
what do you mean with: "So why can't I specify it directly?"

if you have something before and after "Ebiz.Order20", you can use jolly chars at the beginning and the end of the search string

index=my_index source="*Ebiz.Order20*"

But this search isn't so performant, so the second solution I suggested should be better.
You can also call the new field Application and maintain both the fields:

index=my_index
| rex field=source ".*\/(?<Application>.*)"
| search Application="Ebiz.Order20"

But anyway, the regex you used was wrong.

Bye.
Giuseppe

Re: How to specify field type value in search query?

woodcock — Sun, 08 Sep 2019 20:54:14 GMT

You say the field is called capital-S Source but then you are using lowercase-s source in your SPL. Field names are case-sensitive. You must match them.