Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I search for an exact match in the raw text of an event?

digital_alchemy
Path Finder
‎10-31-2013 09:47 AM

I currently have a search that kinda works for what I need but it returns a lot of false positives.

Example:

Say I have a lookup table file that contains the string "ed" as an entry. Currently when I run the query I get hits on every string that contains "ed" like fred, red, bed, education, etc...

What I would like to do is be able to specify that I only get a hit on an exact match and exclude straings that only contain the string I'm searching for.

Current search:

*[| inputlookup MY_LOOKUP_FILE.csv | rename COLUMN_HEADER as search | fields search | format] | eval rawText= _raw | eval hit=[| inputlookup MY_LOOKUP_FILE.csv | stats values(COLUMN_HEADER) as query | eval query=mvjoin(query,",") | fields query | eval query = "".query.""] | eval hit=split(hit,",") | mvexpand hit | eval hit=lower(hit) | eval rawText=lower(rawText) | where like(rawText,"%"+hit+"%") | TABLE _time,hit,rawText

Any ideas?

Thanks.

Reply

airsplunk
Explorer
‎07-30-2014 03:36 PM

Do you have a named field? You can use that for an exact match quite easily.
This example, lets call it approach A does an exact match on path:

host=my_host path=/somepath/ | timechart  span=1m count by path

This while this example, lets call it approach B uses '/somepath/' as a word to do a partial match

host=my_host /somepath/ | timechart  span=1m count by path

Given logs with the following entries for path:

/somepath/
/somepath/hello
/somepath/world

Approach A will only match /somepath/ while approach B will match all three

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-31-2013 10:31 AM

What delimits the strings you're searching for? If it's a fixed character like comma or space, put it in your like() clause - '... | where like(rawtext,"% "+hit+" %") | ...'. You may need to use multiple like() clauses if the delimiter varies (... | where like(rawtext,"% "+hit+" %") OR like(rawtext,"%,"+hit+",%") | ...).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

digital_alchemy
Path Finder
‎11-08-2013 10:56 AM

I've tried that with no results.

I've also tried to use
...| where make(rawtext, hit) |... and I get the same results with the false positives.

0 Karma
Reply
Get Updates on the Splunk Community!

Best Strategies to Optimize Observability Costs

 Join us on Tuesday, May 6, 2025, at 11 AM PDT / 2 PM EDT for an insightful session on optimizing ...

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...