https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-an-exact-match-in-the-raw-text-of-an-event/m-p/124267#M33597 <P>What delimits the strings you're searching for? If it's a fixed character like comma or space, put it in your like() clause - '<CODE>... | where like(rawtext,"% "+hit+" %") | ...</CODE>'. You may need to use multiple like() clauses if the delimiter varies (<CODE>... | where like(rawtext,"% "+hit+" %") OR like(rawtext,"%,"+hit+",%") | ...</CODE>).</P> Thu, 31 Oct 2013 17:31:48 GMT richgalloway 2013-10-31T17:31:48Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-an-exact-match-in-the-raw-text-of-an-event/m-p/124266#M33596 <P>I currently have a search that kinda works for what I need but it returns a lot of false positives.</P> <P>Example:</P> <P>Say I have a lookup table file that contains the string "ed" as an entry. Currently when I run the query I get hits on every string that contains "ed" like fred, red, bed, education, etc...</P> <P>What I would like to do is be able to specify that I only get a hit on an exact match and exclude straings that only contain the string I'm searching for.</P> <P>Current search:</P> <PRE><CODE>*[| inputlookup MY_LOOKUP_FILE.csv | rename COLUMN_HEADER as search | fields search | format] | eval rawText= _raw | eval hit=[| inputlookup MY_LOOKUP_FILE.csv | stats values(COLUMN_HEADER) as query | eval query=mvjoin(query,",") | fields query | eval query = "".query.""] | eval hit=split(hit,",") | mvexpand hit | eval hit=lower(hit) | eval rawText=lower(rawText) | where like(rawText,"%"+hit+"%") | TABLE _time,hit,rawText </CODE></PRE> <P>Any ideas?</P> <P>Thanks.</P> Thu, 31 Oct 2013 16:47:42 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-an-exact-match-in-the-raw-text-of-an-event/m-p/124266#M33596 digital_alchemy 2013-10-31T16:47:42Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-an-exact-match-in-the-raw-text-of-an-event/m-p/124267#M33597 <P>What delimits the strings you're searching for? If it's a fixed character like comma or space, put it in your like() clause - '<CODE>... | where like(rawtext,"% "+hit+" %") | ...</CODE>'. You may need to use multiple like() clauses if the delimiter varies (<CODE>... | where like(rawtext,"% "+hit+" %") OR like(rawtext,"%,"+hit+",%") | ...</CODE>).</P> Thu, 31 Oct 2013 17:31:48 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-an-exact-match-in-the-raw-text-of-an-event/m-p/124267#M33597 richgalloway 2013-10-31T17:31:48Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-an-exact-match-in-the-raw-text-of-an-event/m-p/124268#M33598 <P>I've tried that with no results. </P> <P>I've also tried to use<BR /> ...| where make(rawtext, hit) |... and I get the same results with the false positives.</P> Fri, 08 Nov 2013 18:56:37 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-an-exact-match-in-the-raw-text-of-an-event/m-p/124268#M33598 digital_alchemy 2013-11-08T18:56:37Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-an-exact-match-in-the-raw-text-of-an-event/m-p/124269#M33599 <P>Do you have a named field? You can use that for an exact match quite easily.<BR /> This example, lets call it approach A does an exact match on path:</P> <PRE><CODE>host=my_host path=/somepath/ | timechart span=1m count by path </CODE></PRE> <P>This while this example, lets call it approach B uses '/somepath/' as a word to do a partial match</P> <PRE><CODE>host=my_host /somepath/ | timechart span=1m count by path </CODE></PRE> <P>Given logs with the following entries for path:</P> <PRE><CODE>/somepath/ /somepath/hello /somepath/world </CODE></PRE> <P>Approach A will only match /somepath/ while approach B will match all three</P> Wed, 30 Jul 2014 22:36:29 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-an-exact-match-in-the-raw-text-of-an-event/m-p/124269#M33599 airsplunk 2014-07-30T22:36:29Z