Here is my splunk log line
{"line":"2019-08-15T17:48:28.935Z LCS {\"configName\":\"Apple-SQS\",\"customerName\":\"Apple\"} INFO i.r.p.s.Processor - finished processing}
When I search , I am trying the following
index=docker_logs_index | search "Apple"
My search is catching Apple because Apple is part of configName but I only want to see results if customerName is Apple.
How can I modify my splunk query to accomplish that.
Try this:
.. | rex "customerName\\\\\":\\\\\"(?<customerName>[^\\\]+)" | search customerName="Apple"
OR
| rex "customerName\\\\\":\\\\\"(?<customerName>\w+)" | search customerName="Apple"
try this
index=docker_logs_index | rex field=_raw "customerName\\\+\"+\:+\\\+\"(?<custname>.*?)\\\+\"" | where custname="Apple"
Try this:
.. | rex "customerName\\\\\":\\\\\"(?<customerName>[^\\\]+)" | search customerName="Apple"
OR
| rex "customerName\\\\\":\\\\\"(?<customerName>\w+)" | search customerName="Apple"