topic Re: How to search string abc/efg in log using multiselect field? in Splunk Search

How to search string abc/efg in log using multiselect field?

wangkevin1029 — Thu, 17 Nov 2022 22:15:39 GMT

Hi, Splunkers,

I want to search string like abc/efg in my log using multiselect field.

I directly defined this search value abc/efg in multiselect field , token name "keyword"

in my query, I use $keyword" to search, it doesn't' work, I also try abc\/efg, it doesn't work either, but other normal string works here.

any ideas?

thx in advance.

Kevin

Re: How to search string abc/efg in log using multiselect field?

yuanliu — Thu, 17 Nov 2022 23:10:24 GMT

Depending on data, some methods can be more efficient than others. Here is the most generic method if you truly want to search for a string that may appear anywhere in the event. (In other words, you must satisfy ("*abc*" OR "*efg*"). Extremely expensive.)

Then in search, you just say $keyword$. There can be many variations of this, especially in regard to prefix and suffix. For example, you can include all the asterisk, quotation mark, in value and do not use <valuePrefix/> and <valueSuffix/>; you can also do ($keyword$) in search and do away with <prefix/> and <suffix/>. (This question better belongs to reporting & dashboard forum.)

Re: How to search string abc/efg in log using multiselect field?

wangkevin1029 — Fri, 18 Nov 2022 03:03:43 GMT

I retried abc\/efg, it works now, thx you, anyway.