topic Re: Searching "%" with in a search string in Splunk Search

Searching "%" with in a search string

runiyal — Tue, 29 Sep 2020 11:14:41 GMT

My logfile contains a rows like -

...........&pic=pic%231.pdf&description=.......
...........&pic=pic.pdf&description=.......
...........&pic=pic%232.pdf&description=.......

I need to get result if this string "&pic=.pdf" as "%*" in between it.

So, in the result I shoul only get

...........&pic=pic*%231.pdf&description=.......
...........&pic=pic%*232.pdf&description=.......

Thanks!

Re: Searching "%" with in a search string

Richfez — Thu, 29 Sep 2016 23:53:59 GMT

I played around with this a bit, it's a tiny bit more finicky than I would have liked. I think the problem is that the % character is a breaker character, so it makes odd things happen inside Splunk. The following may be a reliable way to work with it by creating a new field.

... my search | rex field=target "πc=(?<MyFileName>[^&]*)" | search MyFileName=pic%*.pdf

So, your my search is just whatever it takes to pull up all the events ("index=* sourcetype=something" or whatever). The middle is the rex, and it creates a new field MyFileName from the characters found after πc= up to the first ampersand. Once you have the field, it seems to reliably work for searching.

The above does just what you asked - finds the pdfs with the percent sign. You could also use | search MyFileName=pic%* which would pull out all files starting with pic and a percent sign.

So again, once you have that rex in place, after it you can ...
To find all files starting with the letters pic% : | search MyFileName=pic%*
To find all pdfs starting with the letters pic% and ending in pdf : | search MyFileName=pic%*.pdf
To find all pdfs that do NOT have a pic% at the front : | search MyFileName!=pic%*.pdf
Similarly, to find all anythings in that field that have a percent sign: | search MyFileName=*%*
Lastly, to find all anythings that don't have a percent sign: | search MyFileName!=*%*

Re: Searching "%" with in a search string

runiyal — Fri, 30 Sep 2016 17:34:44 GMT

Thanks Rich!

I have the following search now -

index="prod" host="prod-as**" "*succeeded" "app=oraapp" | rex field=target "name=(?<MyFileName>[^,]*)" | search MyFileName=*%*

But it's not working. It is showing "No results found".

I tried to see if the search is showing any result with "%" in it. I ran this query -

index="prod" host="prod-as**" "*succeeded" "app=oraapp" | rex field=target "name=(?<MyFileName>[^,]*)" | stats count by name

Found the result -
1213 Iriquois Dr%2C PHOTO 1

15%25

But when I try to look at the stats using "MyFileName", its not returning any result. It is showing "No results found".

index="prod" host="prod-as**" "*succeeded" "app=oraapp" | rex field=target "name=(?<MyFileName>[^,]*)" | stats count by MyFileName

Does this mean that MyFileName is not being populated?

Re: Searching "%" with in a search string

Richfez — Fri, 30 Sep 2016 18:49:04 GMT

Can you provide a couple more of the raw events, preferably the whole or at least most of the event? Might just be a little detail was overlooked and with that I can retest in a while.

Thanks

Re: Searching "%" with in a search string

somesoni2 — Fri, 30 Sep 2016 19:03:39 GMT

Try like this

 index="prod" host="prod-as**" "*succeeded" "app=oraapp" | regex _raw=".*%.*"

Re: Searching "%" with in a search string

Richfez — Sat, 01 Oct 2016 14:37:56 GMT

Yes, so it looks like you are using a rex that looks for a string "name=" followed by characters that aren't commas. "name=(?<MyFileName>[^,]*)" So if given an event like

age=23,name=billy,height=tall

It would pull a field MyFileName of "billy". I know the example ended up silly, but that's OK. 🙂

But your initial pasting of events shows they look like

age=23&name=billy&height=tall

So you need to make sure you are looking for the string "name=" then characters up to but not including an ampersand. Like "name=(?<MyFileName>[^&]*)" .

Unless the initial pastes were of the wrong data or got funged up during pasting. So in either way, if you have further problems if you could paste in new event samples that would be great. Of course, we'll just hope it all works!

BTW, I put this stuff up into regex101.com so you can see how it determined what was matching, and this is off the original data way up in the question.