Splunk Search

Filter for messages that contains text with quotation marks

raculim
Explorer

Hi, 

I'm having a hard time trying to narrow down my search results. 

I would like to return only the results that contain the following string on the message: "progress":"COMPLETED","subtopics":"COMPLETED"

The text must be all together, in the sequence above. 

I tried to add a string like the one below in my search but it didn't work:

message="*\"progress\":\"COMPLETED\",\"subtopics\":\"COMPLETED\"*"

Does anyone have suggestions on how to do that? 

I appreciate any help you can provide.

 
Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

one thing what you should do is to check how events are in raw data. Probably the easiest way is check it via "Event Actions -> Show Source".  

isoutamo_0-1727519863159.png

In that way you will see how it really is. After that you know (especially with json) are there any space or other character which you need to take care on your strings.

r. Ismo

View solution in original post

inventsekar
SplunkTrust
SplunkTrust

Hi @raculim .. @PickleRick 's suggestion works fine, tested (9.3.0)

inventsekar_0-1727507219641.png

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

one thing what you should do is to check how events are in raw data. Probably the easiest way is check it via "Event Actions -> Show Source".  

isoutamo_0-1727519863159.png

In that way you will see how it really is. After that you know (especially with json) are there any space or other character which you need to take care on your strings.

r. Ismo

raculim
Explorer

Thanks @isoutamo . 

The raw data contains some backslashes already: 

\"TOPIC_COMPLETION\"

So I had to perform my seach like this:

index="..." "08:29:41.630" AND \\\"TOPIC_COMPLETION\\\"

Now it's working properly. 

raculim
Explorer

Hi @PickleRick 

First of all, thanks for the reply. 

Let me try to give you a more concrete example:

1. One search example that returns a single result (this works as expected)

raculim_0-1727471674959.png

2. Adding the TOPIC_COMPLETION string to the search (this works as expected)

raculim_1-1727471887747.png

3. Adding the "TOPIC_COMPLETION" string to the search (this doesn't return any results. I was expecting the same results as in 1 and 2)

raculim_2-1727472020374.png

Version 9.2.2406.107

 

PickleRick
SplunkTrust
SplunkTrust

Try enclosing your search term with quotes.

"\"TOPIC_COMPLETION\""

PickleRick
SplunkTrust
SplunkTrust

Seems to work for me.

PickleRick_0-1727466910629.png

 

9.3.0

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...