topic Re: Search by Field's Value in Splunk Search

Search by Field's Value

edschembor — Wed, 25 Jun 2014 14:29:39 GMT

So I have a search where I need to further search by the value of the field.

ie)
| eval EPHID = "EPH1406180001103"
| search EPHID

Searches for logs with "EPHID" and not "EPH1406180001103". Is there some way to search for the field's value and not the field?

Thanks!

Re: Search by Field's Value

aweitzman — Wed, 25 Jun 2014 15:26:09 GMT

Try the following:

| eval EPHID = "EPH1406180001103" | where like(_raw,"%".EPHID."%")

Re: Search by Field's Value

davby — Wed, 25 Jun 2014 16:52:34 GMT

Use a subsearch. Using your example as a starting point:

[| gentimes start=-1 | eval EPHID="EPH1406180001103" | rename EPHID as query | fields query ]

Presumably your search is more complex than your example. If you have a search that results in EPHID having one or more values, then the gentimes stanza will not be needed; replace gentimes and eval with that search instead. For example:

[search user="john.doe" | rename host as query | fields query]

will search for events with user "john.doe", get the host field from these, then search for that value in everything.

Re: Search by Field's Value

edschembor — Wed, 25 Jun 2014 18:54:00 GMT

Let me give some more information:

I have a statement "eval entity="" " which is eventually set to some value which will only be a single value. Now, I need to further search the logs for this single value. Is there a way so that I search what entity equals as opposed to just its name?

Re: Search by Field's Value

edschembor — Thu, 26 Jun 2014 13:04:50 GMT

Having trouble understanding this. Do I need the user="john.doe" part? Why does this need to be done as a subsearch?