topic Re: How do you search for a specific word when you don't know what the field is? in Splunk Search

How do you search for a specific word when you don't know what the field is?

brewster88 — Mon, 21 Jan 2019 09:09:42 GMT

Heya Guys,

I'm very new to Splunk and this is likely an obvious answer or I have skimmed across documentation and missed it.

So at the moment, we are ingesting logs from Google cloud, and I am interested in finding specific words such as 'error', 'fail', etc. However, I do not know the specific field name where this might appear.

Is there a search I could run as a sort of catch all that could pick up on this within our environment?

Something like the below?

index="gcp_logs" (message contains 'error' OR 'fail*')

Any help would be appreciated.

Tom

Re: How do you search for a specific word when you don't know what the field is?

FrankVl — Mon, 21 Jan 2019 10:37:17 GMT

Assuming those words occur in the raw event, just enter those words as search terms: index="gcp_logs" ("error" OR "fail*")

Have you gone through the Fundamentals 1 training course yet? If not: I can really recommend it. It's a great introduction into the concepts of Splunk and the basic workings of the search language 🙂

Re: How do you search for a specific word when you don't know what the field is?

dkeck — Mon, 21 Jan 2019 10:38:09 GMT

HI,

just simple search for the word

index="gcp_logs" error

BUT keep in mind there will be an AND between a error and another word you want to search.

So if you search for error fail, add a OR if you want events with both. so error OR fail

Re: How do you search for a specific word when you don't know what the field is?

brewster88 — Mon, 21 Jan 2019 12:07:45 GMT

Really useful guys, this was exactly what I was after!

Will be starting the Splunk Fundamentals shortly as well 🙂

Kind Regards,

Tom