- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to specify field type value in search quer...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to specify field type value in search query?
Hi,
I have a field type "Source" and I want to filter the events by source="Ebiz.Order20" etc. . I tried AND source="Ebiz.Order20" which returned no results even though there are events where the field has that value. I also tried extracting the field using this source"(?<Application>)" but it returned nothing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You say the field is called capital-S Source but then you are using lowercase-s source in your SPL. Field names are case-sensitive. You must match them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Every Splunk event has a field called "source" (and "sourcetype, _time, host, etc.) Is this the Splunk generated source value whichis typically a file path like /foldera/folderb/filename.ext ans as @gcusello says you would search with source="*filename.ext"
If you are extracxting your own "source" I would definitely use some other field name to avoid conflicts with the Splunk fields.
I am not sure what you have before AND source= but a typical search would be something like:
index=my_index source="*filename.ext"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lsy9891,
if your field source has values like "blah/blah/Ebiz.Order20" you can use jollyh chars in your search:
index=my_index source="*Ebiz.Order20"
or you can extract a new field using rex command and use it for searches:
index=my_index
| rex field=source ".*\/(?<my_source>.*)"
| search my_source="Ebiz.Order20"
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My source field looks like this:
Source: Monster.Ebiz.Order20.Services? So why can't I specify it directly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lsy9891,
let me understand:
- you have a source like "Monster.Ebiz.Order20.Services",
- you want to search by a part of this field "Ebiz.Order20",
- what do you mean with: "So why can't I specify it directly?"
if you have something before and after "Ebiz.Order20", you can use jolly chars at the beginning and the end of the search string
index=my_index source="*Ebiz.Order20*"
But this search isn't so performant, so the second solution I suggested should be better.
You can also call the new field Application and maintain both the fields:
index=my_index
| rex field=source ".*\/(?<Application>.*)"
| search Application="Ebiz.Order20"
But anyway, the regex you used was wrong.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@lsy9891 Monster.Ebiz.Order20.Services is not the same as Ebiz.Order20
You would need to match on “Ebiz.Order20” , very much like @gcusello originally suggested not knowing there were training characters in the field also.
New Splunk Observability innovations: Deeper visibility and smarter alerting to ...
Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition
Instrumenting Java Websocket Messaging
