Hi Frank,
Here in my example, that is a single event. There are multiple events. Every event will have a different Message text. And my requirement is to highlight Message: XXXXXX XXXXX XXXXX of every event. The entire line. And in every event its a different message text.
Regards,
Abhi

Well, the highlight command doesn't support regular expressions or wildcards or anything, so that will be difficult. If the number of possible message texts is limited, you could create a macro that contains a highlight command with all possible message strings behind it.

In my local testing, highlight works fine on a string containing a colon. I think your suggestion will work fine, as long as the @abhinandan_rangasham is looking to highlight within raw events and not anything that's doing stats or other transforming commands.

Interesting, see below screenshots for what I encountered on Splunk 7.0.1.

https://www.dropbox.com/s/07hoemqangx2e2l/failinghighlight.PNG
https://www.dropbox.com/s/gt4q28sfohxsrms/workinghighlight.PNG

Interesting. I tried the exact same thing on my box and see what you see. However, it works if I change it to

| highlight "op=PAM:session_close"

So I think it has more to do with Splunk looking for breakers than specifically to do with colons. But either way, you are totally right that the command seems fussy and should be handled with care. 🙂

Good catch, you can also see that behavior a bit when hovering over the raw event with your mouse. When you start hovering from op= it will highligh "op", when you move to the right a bit, it highlights op=PAM, moving further, it highlights op=PAM:session, and eventually op=PAM:session_close.

So the highlighting indeed seems to somehow have something to do with how Splunk internally breaks up the raw event into substrings for searching etc.

So yeah, @abhinandan_rangasham, give it a try, probably for highlighting that entire line, it will work just fine 🙂