topic Re: Searching for text in a field using a wild card in Splunk Search

Searching for text in a field using a wild card

nkavouris — Mon, 24 Feb 2025 22:11:21 GMT

I have a field message in _raw that looks something like this:

"message":"test::hardware_controller: Unit state update from cook client target: Elements(temp: -, [F: 255, F: 255, F: 255, F: 255, F: 255, F: 255]), hw_state: Elements(temp: -, [F: 255, F: 255, F: 255, F: 255, F: 255, F: 255])"

I am looking to search for messages containing the bold section. , but when i search:

index="sample_idx" $serialnumber$ log_level=info message=*Unit state update from cook client target*|

this returns no results, even though I know events containing the wildcard phrase are present within the query index and timeframe

Re: Searching for text in a field using a wild card

ITWhisperer — Tue, 25 Feb 2025 00:07:53 GMT

This looks like json - has the event been ingested as json and the message field already been extracted?

Re: Searching for text in a field using a wild card

myitlab42000 — Tue, 25 Feb 2025 00:16:00 GMT

Hi,

try to enclose message=*Unit state update from cook client target* with double quote like this

message="*Unit state update from cook client target*".

I think the problem is white space between unit, state, ...,

I hope ti help

Re: Searching for text in a field using a wild card

yuanliu — Tue, 25 Feb 2025 03:24:56 GMT

Second what @ITWhisperer says. If the raw event is not completely in JSON, the event must have included a JSON message. In that case, Splunk would not have extracted JSON fields. But it is strongly recommended that you treat structured data as structured data and do not use regex to extract from them. The way to do this is to extract the JSON part into its own field so you can make structured extraction. Please post sample of complete event.

Re: Searching for text in a field using a wild card

nkavouris — Tue, 25 Feb 2025 14:36:33 GMT

No how would i do that? spath?

Re: Searching for text in a field using a wild card

ITWhisperer — Tue, 25 Feb 2025 14:47:28 GMT

It depends on your complete raw event - spath is likely to be part of the solution. Please share your raw event (anonymised appropriately) in a code block using the </> button.

Re: Searching for text in a field using a wild card

nkavouris — Tue, 25 Feb 2025 16:12:04 GMT

here is the raw event

{"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00",
"location":{"city":"XXXX","country":"XXXX","latitude":XXXX,"longitude":XXXX,"state":"XXXX"},"log_level":"info",
"message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\u0000",
"model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}

Re: Searching for text in a field using a wild card

ITWhisperer — Tue, 25 Feb 2025 17:18:13 GMT

Try this

| spath | search message="*Unit state update from cook client target*"

Re: Searching for text in a field using a wild card

nkavouris — Tue, 25 Feb 2025 19:52:33 GMT

this does not work as I understand it

index="mysearch" log_level=info|
spath|
search message="*Unit state update from cook client target*"

in fact it makes my search much slower, while still not yielding any results

Re: Searching for text in a field using a wild card

nkavouris — Tue, 25 Feb 2025 20:03:00 GMT

This works for certain strings, but not others, does whitespace before or after the desired string in the event effect it?

If I use the string descried above, this solution works, but with a different string it does not work. what gives?

Re: Searching for text in a field using a wild card

yuanliu — Wed, 26 Feb 2025 03:56:39 GMT

Are you sure those bare XXXX are not quoted, like this?

{"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00", "location":{"city":"XXXX","country":"XXXX","latitude":"XXXX","longitude":"XXXX","state":"XXXX"},"log_level":"info", "message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\u0000", "model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}

If so, a "normal" Splunk instance should have given you message as a field with value "martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])".

If, for whatever reason your instance doesn't, spath command suffices. Try this example:

| makeresults | eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\", \"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\", \"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\", \"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}" | eval _time = json_extract(_raw, "timestamp") ``` data emulation above ``` | spath | table message

Hint: output is

message

martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])

Alternatively, use json_extract function if your Splunk is 8.1 or later. Try this example:

If your instance is older, you can also use spath function. Try this example

| makeresults | eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\", \"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\", \"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\", \"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}" | eval _time = spath(_raw, "timestamp") ``` data emulation above ``` | eval message = spath(_raw, "message")

Re: Searching for text in a field using a wild card

yuanliu — Wed, 26 Feb 2025 04:13:19 GMT

Your search is slower compared with what? You don't need to run spath according to my analysis. Because Splunk has already extracted it, running spath simply wastes CPU and memory. But running a search with leading wildcard always slows things down considerably. (The way you try to use regex doesn't make things better.) Why do you need wildcards, anyway? Your search can be conducted in bare terms without considering the field. Try

index="sample_idx" $serialnumber$ log_level=info Unit state update from cook client target

Here's an emulation for you to play with and compare with real data

| makeresults | eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\", \"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\", \"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\", \"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}" | eval _time = json_extract(_raw, "timestamp") | spath ``` the abovee emulates index="sample_idx" $serialnumber$ log_level=info ``` | search Unit state update from cook client target

Re: Searching for text in a field using a wild card

myitlab42000 — Wed, 26 Feb 2025 23:38:13 GMT

Hi,

can you try this :

index="sample_idx" $serialnumber$ log_level=info | regex message="(?:Unit[\s]+state[\s]+update[\s]+from[\s]+cook[\s]+client[\s]+target)"

this try to filter data that contains the bold text with words separated by one or more space.

is that what you are looking for ?

i'm sorry if i misunderstand