Splunk Search

Filter for messages that contains text with quotation marks

raculim
Explorer

Hi, 

I'm having a hard time trying to narrow down my search results. 

I would like to return only the results that contain the following string on the message: "progress":"COMPLETED","subtopics":"COMPLETED"

The text must be all together, in the sequence above. 

I tried to add a string like the one below in my search but it didn't work:

message="*\"progress\":\"COMPLETED\",\"subtopics\":\"COMPLETED\"*"

Does anyone have suggestions on how to do that? 

I appreciate any help you can provide.

 
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

one thing what you should do is to check how events are in raw data. Probably the easiest way is check it via "Event Actions -> Show Source".  

isoutamo_0-1727519863159.png

In that way you will see how it really is. After that you know (especially with json) are there any space or other character which you need to take care on your strings.

r. Ismo

View solution in original post

inventsekar
SplunkTrust
SplunkTrust

Hi @raculim .. @PickleRick 's suggestion works fine, tested (9.3.0)

inventsekar_0-1727507219641.png

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

one thing what you should do is to check how events are in raw data. Probably the easiest way is check it via "Event Actions -> Show Source".  

isoutamo_0-1727519863159.png

In that way you will see how it really is. After that you know (especially with json) are there any space or other character which you need to take care on your strings.

r. Ismo

raculim
Explorer

Thanks @isoutamo . 

The raw data contains some backslashes already: 

\"TOPIC_COMPLETION\"

So I had to perform my seach like this:

index="..." "08:29:41.630" AND \\\"TOPIC_COMPLETION\\\"

Now it's working properly. 

raculim
Explorer

Hi @PickleRick 

First of all, thanks for the reply. 

Let me try to give you a more concrete example:

1. One search example that returns a single result (this works as expected)

raculim_0-1727471674959.png

2. Adding the TOPIC_COMPLETION string to the search (this works as expected)

raculim_1-1727471887747.png

3. Adding the "TOPIC_COMPLETION" string to the search (this doesn't return any results. I was expecting the same results as in 1 and 2)

raculim_2-1727472020374.png

Version 9.2.2406.107

 

PickleRick
SplunkTrust
SplunkTrust

Try enclosing your search term with quotes.

"\"TOPIC_COMPLETION\""

PickleRick
SplunkTrust
SplunkTrust

Seems to work for me.

PickleRick_0-1727466910629.png

 

9.3.0

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...