Hi,
I have a field type "Source" and I want to filter the events by source="Ebiz.Order20" etc. . I tried AND source="Ebiz.Order20" which returned no results even though there are events where the field has that value. I also tried extracting the field using this source"(?<Application>)"
but it returned nothing?
You say the field is called capital-S Source
but then you are using lowercase-s source
in your SPL. Field names are case-sensitive. You must match them.
Every Splunk event has a field called "source" (and "sourcetype, _time, host, etc.) Is this the Splunk generated source value whichis typically a file path like /foldera/folderb/filename.ext ans as @gcusello says you would search with source="*filename.ext"
If you are extracxting your own "source" I would definitely use some other field name to avoid conflicts with the Splunk fields.
I am not sure what you have before AND source= but a typical search would be something like:
index=my_index source="*filename.ext"
Hi lsy9891,
if your field source has values like "blah/blah/Ebiz.Order20" you can use jollyh chars in your search:
index=my_index source="*Ebiz.Order20"
or you can extract a new field using rex command and use it for searches:
index=my_index
| rex field=source ".*\/(?<my_source>.*)"
| search my_source="Ebiz.Order20"
Bye.
Giuseppe
My source field looks like this:
Source: Monster.Ebiz.Order20.Services? So why can't I specify it directly?
Hi lsy9891,
let me understand:
if you have something before and after "Ebiz.Order20", you can use jolly chars at the beginning and the end of the search string
index=my_index source="*Ebiz.Order20*"
But this search isn't so performant, so the second solution I suggested should be better.
You can also call the new field Application and maintain both the fields:
index=my_index
| rex field=source ".*\/(?<Application>.*)"
| search Application="Ebiz.Order20"
But anyway, the regex you used was wrong.
Bye.
Giuseppe
@lsy9891 Monster.Ebiz.Order20.Services is not the same as Ebiz.Order20
You would need to match on “Ebiz.Order20” , very much like @gcusello originally suggested not knowing there were training characters in the field also.