In many of our web proxy logs we see the equal sign (=) included in many URLs. I'm searching for certain patterns that include the equal sign - for instance, abc=321%f=1. I've tried searches like: index=proxy uri=*abc\=321\%f\=1 index=proxy "uri=*abc\=321\%f\=1" index=proxy | regex _raw=.*abc\=321\%f\=1.* all come back without any results. I know the IP address of a client and server that has this pattern in it's URI. So when I run the search against those IPs I get the event that shows the URI I'm looking for. Is there a special way to format searches to look for the equal sign? Thanks
You were pretty close with a few. Instead of quoting the field and the value, just quote the value. Like this:
The percent sign is included in the search from this query on my Splunk instance...
I've tried that, but my issue is the pattern also includes the percent sign. When I try index=proxy uri="abc=321%f=1" I get no results. Thoughts?
In dire circumstances, I have restored to the very ugly:
my_search | where match(_raw,"=")
This is obviously not very efficient, but has always worked for me.