I want to search for specific text within the
_raw output of my syslog messages. Something along the lines of where
_raw=*example*. So now I have
index=myindex host=myhost source=/var/log/messages and then I want to only select certain events based on what is in
_raw. What is the correct syntax for that? Eventually I may try to extract new fields using Splunk but for now I want to make sure I can search for certain events. Thanks for any help you can provide.
When searching over events to match strings contained within them, there is no need to explicitly tell Splunk to check the _raw message, as it will be doing that by default.
index=n00blab host=n00bserver sourcetype=linux:ubuntu:auth root
This search tells Splunk to bring us back any events that have the explicit fields we asked for AND (any space in your search is treated as an implicit 'AND') contains the literal string "root", anywhere in it.
It is the same as saying:
index=n00blab host=n00bserver sourcetype=linux:ubuntu:auth _raw=*root*
The tricky part when searching _raw= is to remember that if you simply said _raw=root, nothing would match, cause I don't have any raw events that only contain the word 'root'. However, I have plenty of events that CONTAIN the string root, so by adding the asterisks, I turn it into a CONTAINS rather than EQUALS...
I strongly recommend bookmarking the Splunk search reference manual, as even the most seasoned Splunker needs to consult the docs for search syntax and rules, from time to time!
Thanks! So if I understand correctly if my search was index=[myindex] host=[myhost] source=/var/log/messages PHP Warning it will pull any events showing "PHP Warning" in _raw since I know that's where it's sitting? I tried it out and it seems to be what I'm looking for. Much appreciated.
index=[myindex] host=[myhost] source=/var/log/messages PHP Warning
would search for events with PHP AND Warning in it.
index=[myindex] host=[myhost] source=/var/log/messages "PHP Warning"
would search for the literal string "PHP Warning"
index=[myindex] host=[myhost] source=/var/log/messages PHP OR Warning
would search for events with PHP OR Warning string in it.
FYI, you can use the comment function when discussing questions further, rather than posting an answer. You can convert your answer to a comment with the gear symbol on your answer!
Also, don't forget to accept the answers you get if they help!