I'm trying to deal with a report that contain an asterisk to denote a "true/false" condition. My goal is to use transaction to roll into events starting with "Task:" and returning only the lines containing the asterisk. (Raw log example below.) Escaping the asterisk out doesn't work. Punct doesn't work consistently. (Bug in 4.0.x?)
If I search: punct="::.[]_--_t#:tt--::.-t*", I get all lines containing the asterisks. However, if use this search after a transaction declaration, Splunk appears to ignore it.
I tried the following query:
"Task:" OR punct="::.[]_--_t#:tt--::.-t*" | transaction fields=host,uniqueLogID startswith="Task:" | search punct="::.[]_--_t#:tt--::.-t*"
I expected it to return:
TransactionA:
Nov11 00:00:13.485 [948] REPL-I-0001 Task: CustomerName/LocationNameA/ComputerNameA/TaskNameA(UniqueNumberA)
Nov11 00:00:13.485 [948] REPL-I-0001 SS#: 1 6-NOV-2010 01:30:20.30 -0500 *
Nov11 00:00:13.486 [948] REPL-I-0001 SS#: 2 7-NOV-2010 02:30:02.07 -0500 *
TransactionB:
Nov11 00:00:13.489 [948] REPL-I-0001 Task: CustomerName/LocationnameB/ComputerNameB/TaskNameB(UniqueNumberB)
Nov11 00:00:13.491 [948] REPL-I-0001 SS#: 1 3-NOV-2010 21:00:25.68 -0500 *
Rather, it's returning all transactions, ignoring the secondary search after the pipe. I'm assuming it's because Splunk isn't properly handling the asterisk. How do I get around this?
Raw log:
Nov11 00:00:13.485 [948] REPL-I-0001 Task: CustomerName/LocationNameA/ComputerNameA/TaskNameA(UniqueNumberA)
Nov11 00:00:13.485 [948] REPL-I-0001 SS#: 1 6-NOV-2010 01:30:20.30 -0500 *
Nov11 00:00:13.486 [948] REPL-I-0001 SS#: 2 7-NOV-2010 02:30:02.07 -0500 *
Nov11 00:00:13.486 [948] REPL-I-0001 SS#: 3 8-NOV-2010 02:30:22.65 -0500
Nov11 00:00:13.487 [948] REPL-I-0001 SS#: 4 9-NOV-2010 02:30:28.97 -0500
Nov11 00:00:13.487 [948] REPL-I-0001 SS#: 5 10-NOV-2010 02:30:06.95 -0500
Nov11 00:00:13.489 [948] REPL-I-0001 Task: CustomerName/LocationnameB/ComputerNameB/TaskNameB(UniqueNumberB)
Nov11 00:00:13.491 [948] REPL-I-0001 SS#: 1 3-NOV-2010 21:00:25.68 -0500 *
Nov11 00:00:13.491 [948] REPL-I-0001 SS#: 2 4-NOV-2010 21:00:27.70 -0500
Nov11 00:00:13.492 [948] REPL-I-0001 SS#: 3 5-NOV-2010 21:00:22.38 -0500
Nov11 00:00:13.489 [948] REPL-I-0001 Task: CustomerName/LocationnameC/ComputerNameC/TaskNameC(UniqueNumberC)
Nov11 00:00:13.491 [948] REPL-I-0001 SS#: 2 4-NOV-2010 21:00:27.70 -0500
Nov11 00:00:13.492 [948] REPL-I-0001 SS#: 3 5-NOV-2010 21:00:22.38 -0500
Actually, it's not too bad. You can do it inline at search time or put it in props.conf:
| rex mode=sed "s/[*]/NR/g"
Much ado about nothing, I guess...
Actually, it's not too bad. You can do it inline at search time or put it in props.conf:
| rex mode=sed "s/[*]/NR/g"
Much ado about nothing, I guess...
As a followup, I'm still using my first solution and it's working great.
The issue is the inability to search for "*". Is that a bug in "search" and not "where?" I'll try it, regardless. Thanks!
You can also filter using the where
command, rather than the search
command. They have slightly different syntax and capabilities. So rather than using rex
to modify the data, just use where like(punct,...)
or where match(punct,...)
Hi, according to known issues, there is no way to escape an asterisk in the search language.
Applying an index-time transform to replace the * with something else,e.g. #, would let you achieve your results. This would also modify the indexed logs, though, and there would be no way back after the events have been indexed.
Paolo
That's what I thought. I don't have an issue with doing a transform.
Thanks!