Splunk Search

How do I filter on the text value of data in a specific column?

brutecat
Path Finder

Hi there,

I am (very) new to this, so sorry for the lack of insight.

I have loaded a data set with multiple event type which are qualified by the value of a text in a column. How do I create a search to look for all events which have 'column="value"'? I want to display a time series with data that just matches this criterion.

Tags (2)
0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

Just like you said. For a column named "component", you can search for specific values like this: component = Metrics You can also do various other searches, such as component != Metrics. You should read up on the search language, a good starting point for you could be the book: http://www.splunk.com/goto/book

View solution in original post

0 Karma

jeffland
SplunkTrust
SplunkTrust

Just like you said. For a column named "component", you can search for specific values like this: component = Metrics You can also do various other searches, such as component != Metrics. You should read up on the search language, a good starting point for you could be the book: http://www.splunk.com/goto/book

0 Karma

brutecat
Path Finder

Jeff,

Thanks again. What I found unusual is that I don't actually need to. Here is my search string:

index="main" RealName="ConsolOpen" | timechart span=30m avg(Elapsed _ms)

so it seems that the parentheses suffice for delimiting the field name with a space.

I do find it frustrating that there is no warning or error when I enter something wrong (like Elasped_ms). It should really signal something -I think,

Stan

0 Karma

jeffland
SplunkTrust
SplunkTrust

You don't always need to, but sometimes you have to. The function avg of timechart takes a single argument, so it is obvious that there is only one "string" in the parenthesis. A command like table on the other hand can take more than one argument, and they do not need to be separated by commas (i.e. | table RealName OtherName is totally legit, althoug you might want to use | table RealName, OtherName to make it obvious). Therefore, you are required to explicitly surround the arguments with double quotes in these situations (try it: | table RealName Elapsed _ms should give you a table with three colums, two of them empty).
I can understand that you might be frustrated by always having to be precise, but you'll learn to understand the signs (such as a table with empty colums, or a search that returns no results).

0 Karma

brutecat
Path Finder

Jeff,

Many thanks for that. Just the pointer I needed. The syntax is new to me and I was looking for enclosing quotes etc. Also, the parser seems to fail silently if I put in an illegal name. My column name was 'Elapsed _ms' (with a space) and I was entering 'Elapsed_ms' - so nothing was appearing.

That book is a great reference.

Thanks again,

Stan

0 Karma

jeffland
SplunkTrust
SplunkTrust

You're welcome. By the way, if you're looking to enclose your search term, use double quotes (useful when they include a space).

0 Karma
Get Updates on the Splunk Community!

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...

The Visibility Gap: Hybrid Networks and IT Services

The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...