topic Re: How do I search for the = character? in Splunk Search

How do I search for the = character?

castle1126 — Tue, 24 May 2011 14:50:09 GMT

    In many of our web proxy logs we see the equal sign (=) included in many URLs.  I'm searching for certain patterns that include the equal sign - for instance, abc=321%f=1.

    I've tried searches like:
    index=proxy uri=*abc\=321\%f\=1
    index=proxy "uri=*abc\=321\%f\=1"
    index=proxy | regex _raw=.*abc\=321\%f\=1.*

    all come back without any results.  I know the IP address of a client and server that has this pattern in it's URI.  So when I run the search against those IPs I get the event that shows the URI I'm looking for.

    Is there a special way to format searches to look for the equal sign?

    Thanks

Re: How do I search for the = character?

bwooden — Tue, 24 May 2011 15:03:44 GMT

You were pretty close with a few. Instead of quoting the field and the value, just quote the value. Like this:

index=proxy uri="*abc=321*"

edit:
The percent sign is included in the search from this query on my Splunk instance...
dest_url="ord=810167203?%5C%22"

Re: How do I search for the = character?

castle1126 — Tue, 24 May 2011 15:37:18 GMT

I've tried that, but my issue is the pattern also includes the percent sign. When I try index=proxy uri="abc=321%f=1" I get no results. Thoughts?

Re: How do I search for the = character?

bwooden — Tue, 24 May 2011 15:49:30 GMT

I'll have to edit my answer as the comment formatting keeps manipulating my reply...

Re: How do I search for the = character?

dwaddle — Tue, 24 May 2011 17:00:59 GMT

In dire circumstances, I have restored to the very ugly:

my_search | where match(_raw,"=")

This is obviously not very efficient, but has always worked for me.

Re: How do I search for the = character?

castle1126 — Tue, 24 May 2011 17:22:31 GMT

I just tried this too. No luck, nothing returned.