Splunk Search

How can I search for specific text within _raw?

Path Finder

Good morning,

I want to search for specific text within the _raw output of my syslog messages. Something along the lines of where _raw=*example*. So now I have index=myindex host=myhost source=/var/log/messages and then I want to only select certain events based on what is in _raw. What is the correct syntax for that? Eventually I may try to extract new fields using Splunk but for now I want to make sure I can search for certain events. Thanks for any help you can provide.

0 Karma

Splunk Employee
Splunk Employee

Hi SplunkLunk!

When searching over events to match strings contained within them, there is no need to explicitly tell Splunk to check the _raw message, as it will be doing that by default.

For example:

index=n00blab host=n00bserver sourcetype=linux:ubuntu:auth root

This search tells Splunk to bring us back any events that have the explicit fields we asked for AND (any space in your search is treated as an implicit 'AND') contains the literal string "root", anywhere in it.

It is the same as saying:

index=n00blab host=n00bserver sourcetype=linux:ubuntu:auth _raw=*root*

The tricky part when searching _raw= is to remember that if you simply said _raw=root, nothing would match, cause I don't have any raw events that only contain the word 'root'. However, I have plenty of events that CONTAIN the string root, so by adding the asterisks, I turn it into a CONTAINS rather than EQUALS...

I strongly recommend bookmarking the Splunk search reference manual, as even the most seasoned Splunker needs to consult the docs for search syntax and rules, from time to time!


Path Finder


Thanks! So if I understand correctly if my search was index=[myindex] host=[myhost] source=/var/log/messages PHP Warning it will pull any events showing "PHP Warning" in _raw since I know that's where it's sitting? I tried it out and it seems to be what I'm looking for. Much appreciated.

0 Karma

Splunk Employee
Splunk Employee
index=[myindex] host=[myhost] source=/var/log/messages PHP Warning

would search for events with PHP AND Warning in it.

index=[myindex] host=[myhost] source=/var/log/messages "PHP Warning"

would search for the literal string "PHP Warning"


 index=[myindex] host=[myhost] source=/var/log/messages PHP OR Warning

would search for events with PHP OR Warning string in it.

FYI, you can use the comment function when discussing questions further, rather than posting an answer. You can convert your answer to a comment with the gear symbol on your answer!

Also, don't forget to accept the answers you get if they help!

Happy Splunking!