https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-specific-text-within-raw/m-p/248008#M73993 <P>Hi SplunkLunk!</P> <P>When searching over events to match strings contained within them, there is no need to explicitly tell Splunk to check the _raw message, as it will be doing that by default.</P> <P>For example:</P> <PRE><CODE>index=n00blab host=n00bserver sourcetype=linux:ubuntu:auth root </CODE></PRE> <P>This search tells Splunk to bring us back any events that have the explicit fields we asked for AND (any space in your search is treated as an implicit 'AND') contains the literal string "root", anywhere in it. </P> <P>It is the same as saying:</P> <PRE><CODE>index=n00blab host=n00bserver sourcetype=linux:ubuntu:auth _raw=*root* </CODE></PRE> <P>The tricky part when searching _raw= is to remember that if you simply said _raw=root, nothing would match, cause I don't have any raw events that only contain the word 'root'. However, I have plenty of events that CONTAIN the string root, so by adding the asterisks, I turn it into a CONTAINS rather than EQUALS...</P> <P>I strongly recommend bookmarking the Splunk search reference manual, as even the most seasoned Splunker needs to consult the docs for search syntax and rules, from time to time! </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/WhatsInThisManual">http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/WhatsInThisManual</A></P> Mon, 28 Nov 2016 14:01:57 GMT mattymo 2016-11-28T14:01:57Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-specific-text-within-raw/m-p/248007#M73992 <P>Good morning,</P> <P>I want to search for specific text within the <CODE>_raw</CODE> output of my syslog messages. Something along the lines of where <CODE>_raw=*example*</CODE>. So now I have <CODE>index=myindex host=myhost source=/var/log/messages</CODE> and then I want to only select certain events based on what is in <CODE>_raw</CODE>. What is the correct syntax for that? Eventually I may try to extract new fields using Splunk but for now I want to make sure I can search for certain events. Thanks for any help you can provide.</P> Mon, 28 Nov 2016 13:35:54 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-specific-text-within-raw/m-p/248007#M73992 SplunkLunk 2016-11-28T13:35:54Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-specific-text-within-raw/m-p/248008#M73993 <P>Hi SplunkLunk!</P> <P>When searching over events to match strings contained within them, there is no need to explicitly tell Splunk to check the _raw message, as it will be doing that by default.</P> <P>For example:</P> <PRE><CODE>index=n00blab host=n00bserver sourcetype=linux:ubuntu:auth root </CODE></PRE> <P>This search tells Splunk to bring us back any events that have the explicit fields we asked for AND (any space in your search is treated as an implicit 'AND') contains the literal string "root", anywhere in it. </P> <P>It is the same as saying:</P> <PRE><CODE>index=n00blab host=n00bserver sourcetype=linux:ubuntu:auth _raw=*root* </CODE></PRE> <P>The tricky part when searching _raw= is to remember that if you simply said _raw=root, nothing would match, cause I don't have any raw events that only contain the word 'root'. However, I have plenty of events that CONTAIN the string root, so by adding the asterisks, I turn it into a CONTAINS rather than EQUALS...</P> <P>I strongly recommend bookmarking the Splunk search reference manual, as even the most seasoned Splunker needs to consult the docs for search syntax and rules, from time to time! </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/WhatsInThisManual">http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/WhatsInThisManual</A></P> Mon, 28 Nov 2016 14:01:57 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-specific-text-within-raw/m-p/248008#M73993 mattymo 2016-11-28T14:01:57Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-specific-text-within-raw/m-p/248009#M73994 <P>mmodestino,</P> <P>Thanks! So if I understand correctly if my search was index=[myindex] host=[myhost] source=/var/log/messages PHP Warning it will pull any events showing "PHP Warning" in _raw since I know that's where it's sitting? I tried it out and it seems to be what I'm looking for. Much appreciated. </P> Mon, 28 Nov 2016 14:14:17 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-specific-text-within-raw/m-p/248009#M73994 SplunkLunk 2016-11-28T14:14:17Z https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-specific-text-within-raw/m-p/248010#M73995 <PRE><CODE>index=[myindex] host=[myhost] source=/var/log/messages PHP Warning </CODE></PRE> <P>would search for events with PHP AND Warning in it.</P> <PRE><CODE>index=[myindex] host=[myhost] source=/var/log/messages "PHP Warning" </CODE></PRE> <P>would search for the literal string "PHP Warning"</P> <P>BONUS:</P> <PRE><CODE> index=[myindex] host=[myhost] source=/var/log/messages PHP OR Warning </CODE></PRE> <P>would search for events with PHP OR Warning string in it. </P> <P>FYI, you can use the comment function when discussing questions further, rather than posting an answer. You can convert your answer to a comment with the gear symbol on your answer!</P> <P>Also, don't forget to accept the answers you get if they help!</P> <P>Happy Splunking!</P> Mon, 28 Nov 2016 15:55:17 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-specific-text-within-raw/m-p/248010#M73995 mattymo 2016-11-28T15:55:17Z