All Apps and Add-ons

Show fields containing X?

kbcuait
Explorer

Hi, I'm using dbconnect app

Have some fields that contain long strings of text, want to search for only those results that have a certain word (X) within them

To phrase it another way trying to do something like this:

| dbquery "MYDB" "select text_field from my_table where text_field contains "Description""

Thanks 🙂

0 Karma
1 Solution

Jon_Webster
Splunk Employee
Splunk Employee

What you're trying to do is restrict your results in your SQL query. It should look like this:

| dbquery "MYDB" "SELECT text_field FROM my_table WHERE text_field LIKE '%Description%' "

The "LIKE" command searches for any string that contains the string you feed it. The "%" character is a wildcard, so %description% will match any text field that contains the string 'description'.

Also be sure to verify the correct use of SQL quotes within your Splunk search.
Here's a simple manual page on the subject:

http://www.techonthenet.com/sql/like.php

View solution in original post

Jon_Webster
Splunk Employee
Splunk Employee

What you're trying to do is restrict your results in your SQL query. It should look like this:

| dbquery "MYDB" "SELECT text_field FROM my_table WHERE text_field LIKE '%Description%' "

The "LIKE" command searches for any string that contains the string you feed it. The "%" character is a wildcard, so %description% will match any text field that contains the string 'description'.

Also be sure to verify the correct use of SQL quotes within your Splunk search.
Here's a simple manual page on the subject:

http://www.techonthenet.com/sql/like.php

rgcurry
Contributor

Have you tried this (using your SQL as a guide to the Splunk Search Language equivalent):

index=mydb sourcetype=my_table "Description"

Alternatively, you can use search time field extractions to create a "description" field, then you can selectively search your data for something specific in "Description". Check it out at http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime.

0 Karma

kbcuait
Explorer

Hi, "No matching events found" – I'm not sure how to search the db without using | dbconnect (I don't see the db info listed in the summary anywhere)

...Where to go from here?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...