Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I run a search if a field contains the "|"...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hsu88888
Explorer
09-20-2017
11:19 AM
Hello,
I need to count the event log line contains AAA|Y|42 but "|" is the pipeline command so that I got error as the following search:
I tried to use " double quote at two sides of the string but no return result.
index=transaction sourcetype=transaction_270 *AAA|Y|42*
| chart count by region_id, partner_id
Splunk will treat Y is the command and got this error:
Search Factory: Unknown search command 'y'.
Please help me with solution.
Thank you very much.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hsu88888
Explorer
09-26-2017
03:12 PM
No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hsu88888
Explorer
09-26-2017
03:12 PM
No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lfedak_splunk
Splunk Employee
09-21-2017
04:05 PM
Hey @hsu88888, if DalJeanis and Somesoni2 solved your problem, please don't forget to accept the answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hsu88888
Explorer
09-21-2017
06:11 PM
No results found. I already said that in my question
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-20-2017
11:38 AM
Just enclose *AAA|Y|42* in double quotes. It'll be then treated as string.
index=transaction sourcetype=transaction_270 "*AAA|Y|42*"
| chart count by region_id, partner_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
09-20-2017
12:02 PM
This answer is correct and specific for that spot in a search, or for after the command | search. If it's inside a mapped search or a regex, use the rules for wherever it is (usually escape with \).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hsu88888
Explorer
09-26-2017
03:14 PM
No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
