Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I deal with logs containing asterisks?

hacktastic
Path Finder
‎11-11-2010 06:57 PM

I'm trying to deal with a report that contain an asterisk to denote a "true/false" condition. My goal is to use transaction to roll into events starting with "Task:" and returning only the lines containing the asterisk. (Raw log example below.) Escaping the asterisk out doesn't work. Punct doesn't work consistently. (Bug in 4.0.x?)

If I search: punct="::.[]_--_t#:tt--::.-t*", I get all lines containing the asterisks. However, if use this search after a transaction declaration, Splunk appears to ignore it.

I tried the following query:

"Task:" OR punct="::.[]_--_t#:tt--::.-t*" | transaction fields=host,uniqueLogID startswith="Task:" | search punct="::.[]_--_t#:tt--::.-t*"

I expected it to return:

TransactionA:

Nov11 00:00:13.485 [948] REPL-I-0001 Task: CustomerName/LocationNameA/ComputerNameA/TaskNameA(UniqueNumberA)
Nov11 00:00:13.485 [948] REPL-I-0001    SS#: 1       6-NOV-2010 01:30:20.30 -0500   *
Nov11 00:00:13.486 [948] REPL-I-0001    SS#: 2       7-NOV-2010 02:30:02.07 -0500   *

TransactionB:

Nov11 00:00:13.489 [948] REPL-I-0001 Task: CustomerName/LocationnameB/ComputerNameB/TaskNameB(UniqueNumberB)   
Nov11 00:00:13.491 [948] REPL-I-0001    SS#: 1       3-NOV-2010 21:00:25.68 -0500   *

Rather, it's returning all transactions, ignoring the secondary search after the pipe. I'm assuming it's because Splunk isn't properly handling the asterisk. How do I get around this?

Raw log: 

Nov11 00:00:13.485 [948] REPL-I-0001 Task: CustomerName/LocationNameA/ComputerNameA/TaskNameA(UniqueNumberA)
Nov11 00:00:13.485 [948] REPL-I-0001    SS#: 1       6-NOV-2010 01:30:20.30 -0500   *
Nov11 00:00:13.486 [948] REPL-I-0001    SS#: 2       7-NOV-2010 02:30:02.07 -0500   *
Nov11 00:00:13.486 [948] REPL-I-0001    SS#: 3       8-NOV-2010 02:30:22.65 -0500    
Nov11 00:00:13.487 [948] REPL-I-0001    SS#: 4       9-NOV-2010 02:30:28.97 -0500    
Nov11 00:00:13.487 [948] REPL-I-0001    SS#: 5      10-NOV-2010 02:30:06.95 -0500   
Nov11 00:00:13.489 [948] REPL-I-0001 Task: CustomerName/LocationnameB/ComputerNameB/TaskNameB(UniqueNumberB)   
Nov11 00:00:13.491 [948] REPL-I-0001    SS#: 1       3-NOV-2010 21:00:25.68 -0500   *
Nov11 00:00:13.491 [948] REPL-I-0001    SS#: 2       4-NOV-2010 21:00:27.70 -0500   
Nov11 00:00:13.492 [948] REPL-I-0001    SS#: 3       5-NOV-2010 21:00:22.38 -0500   
Nov11 00:00:13.489 [948] REPL-I-0001 Task: CustomerName/LocationnameC/ComputerNameC/TaskNameC(UniqueNumberC)   
Nov11 00:00:13.491 [948] REPL-I-0001    SS#: 2       4-NOV-2010 21:00:27.70 -0500   
Nov11 00:00:13.492 [948] REPL-I-0001    SS#: 3       5-NOV-2010 21:00:22.38 -0500
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

hacktastic
Path Finder
‎01-19-2011 10:52 PM

Actually, it's not too bad. You can do it inline at search time or put it in props.conf:

| rex mode=sed "s/[*]/NR/g"

Much ado about nothing, I guess...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hacktastic
Path Finder
‎01-19-2011 10:52 PM

Actually, it's not too bad. You can do it inline at search time or put it in props.conf:

| rex mode=sed "s/[*]/NR/g"

Much ado about nothing, I guess...

0 Karma
Reply
Solved! Jump to solution

hacktastic
Path Finder
‎03-04-2011 05:40 PM

As a followup, I'm still using my first solution and it's working great.

0 Karma
Reply
Solved! Jump to solution

hacktastic
Path Finder
‎01-26-2011 05:55 PM

The issue is the inability to search for "*". Is that a bug in "search" and not "where?" I'll try it, regardless. Thanks!

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-20-2011 01:53 AM

You can also filter using the where command, rather than the search command. They have slightly different syntax and capabilities. So rather than using rex to modify the data, just use where like(punct,...) or where match(punct,...)

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎11-11-2010 07:06 PM

Hi, according to known issues, there is no way to escape an asterisk in the search language.

Applying an index-time transform to replace the * with something else,e.g. #, would let you achieve your results. This would also modify the indexed logs, though, and there would be no way back after the events have been indexed.

Paolo

Reply
Solved! Jump to solution

hacktastic
Path Finder
‎11-11-2010 07:29 PM

That's what I thought. I don't have an issue with doing a transform.

Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...