topic Re: How to simply filter out text String from search results that has line breaks/return in it on SPLUNK Enterprise? in Splunk Search

How to simply filter out text String from search results that has line breaks/return in it on SPLUNK Enterprise?

anonymous_hippo — Mon, 08 Nov 2021 00:32:07 GMT

I'm really annoyed, I am using SPLUNK Enterprise and I'm literally tryin to parse out some JSON (basically a String) from my Splunk Logs that has linebreaks after each field/key in the JSON string result , i.e.

Some random search results here { key1: value1 key2: value2 key3: value3 }, some log message here

.... Like .* and many other REGEX chars work just fine in the search for some reason I tried all combinations of [\r\n\s]+ and such and get 0 results despite it working just fine in regex101.com online sandbox environment

I think I read online from my searches that Splunk logs don't preserve the linebreaks, but if it doesn't do that, then what is the final result looking like then? because I tried querying with out whitespaces, or linebreaks, and every combination under the sun, and never got a "hit" back on my search results.

Also, I'm not using any of that REX crap as I don't need to extract anything; I just wanted to filter and maybe do a stats count on my results

Can anyone provide a simple solution please thank you!

Re: How to simply filter out text String from search results that has line breaks/return in it on SPLUNK Enterprise?

richgalloway — Sun, 07 Nov 2021 18:24:37 GMT

Exactly HOW are you trying to filter on those strings? The search command does not recognize regular expressions so every regex will fail there. It would help if you shared your query.

Not using rex (it's not crap :-)) is fine if you're not extracting fields, but consider using regex or a where command with the match function.

Re: How to simply filter out text String from search results that has line breaks/return in it on SPLUNK Enterprise?

anonymous_hippo — Sun, 07 Nov 2021 19:04:41 GMT

Hi thanks for responding. I found a more ghetto solution where I just chained a bunch of AND statements together in the query, lol.

Also, I don't get what you mean that every regex will fail in the search command, because wildcard (*) and dot (.) operator work exactly as they do with normal regex and I use it all the time in the SEARCH query.

It seems like some commands actually work while others do not? I stand corrected if I am wrong.

Re: How to simply filter out text String from search results that has line breaks/return in it on SPLUNK Enterprise?

richgalloway — Sun, 07 Nov 2021 20:03:34 GMT

Glad you worked it out. Please consider sharing your solution so it might help someone else.

The search command does support "*" as a wildcard, but that is not same as in regex. "*" in search means matches any number of any character, whereas "*" in regex matches any number of the character that precedes the "*". Also, "." is not documented as a metacharacter in search.