Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I run a search if a field contains the "|" character?

hsu88888
Explorer
‎09-20-2017 11:19 AM

Hello,

I need to count the event log line contains AAA|Y|42 but "|" is the pipeline command so that I got error as the following search:
I tried to use " double quote at two sides of the string but no return result.

index=transaction sourcetype=transaction_270 *AAA|Y|42*
| chart count by region_id, partner_id

Splunk will treat Y is the command and got this error:
Search Factory: Unknown search command 'y'.

Please help me with solution.

Thank you very much.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hsu88888
Explorer
‎09-26-2017 03:12 PM

No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hsu88888
Explorer
‎09-26-2017 03:12 PM

No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R

0 Karma
Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-21-2017 04:05 PM

Hey @hsu88888, if DalJeanis and Somesoni2 solved your problem, please don't forget to accept the answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma
Reply
Solved! Jump to solution

hsu88888
Explorer
‎09-21-2017 06:11 PM

No results found. I already said that in my question

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-20-2017 11:38 AM

Just enclose *AAA|Y|42* in double quotes. It'll be then treated as string.

index=transaction sourcetype=transaction_270 "*AAA|Y|42*"
 | chart count by region_id, partner_id
0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-20-2017 12:02 PM

This answer is correct and specific for that spot in a search, or for after the command | search. If it's inside a mapped search or a regex, use the rules for wherever it is (usually escape with \).

Reply
Solved! Jump to solution

hsu88888
Explorer
‎09-26-2017 03:14 PM

No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...