Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you search for a specific word when you don't know what the field is?

brewster88
New Member
‎01-21-2019 01:09 AM

Heya Guys,

I'm very new to Splunk and this is likely an obvious answer or I have skimmed across documentation and missed it.

So at the moment, we are ingesting logs from Google cloud, and I am interested in finding specific words such as 'error', 'fail', etc. However, I do not know the specific field name where this might appear.

Is there a search I could run as a sort of catch all that could pick up on this within our environment?

Something like the below? 

index="gcp_logs" (message contains 'error' OR 'fail*')

Any help would be appreciated.

Tom

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎01-21-2019 02:37 AM

Assuming those words occur in the raw event, just enter those words as search terms: index="gcp_logs" ("error" OR "fail*")

Have you gone through the Fundamentals 1 training course yet? If not: I can really recommend it. It's a great introduction into the concepts of Splunk and the basic workings of the search language 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

brewster88
New Member
‎01-21-2019 04:07 AM

Really useful guys, this was exactly what I was after!

Will be starting the Splunk Fundamentals shortly as well 🙂

Kind Regards,

Tom

0 Karma
Reply
Solved! Jump to solution

dkeck
Influencer
‎01-21-2019 02:38 AM

HI,

just simple search for the word

index="gcp_logs" error

BUT keep in mind there will be an AND between a error and another word you want to search.

So if you search for error fail, add a OR if you want events with both. so error OR fail

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎01-21-2019 02:37 AM

Assuming those words occur in the raw event, just enter those words as search terms: index="gcp_logs" ("error" OR "fail*")

Have you gone through the Fundamentals 1 training course yet? If not: I can really recommend it. It's a great introduction into the concepts of Splunk and the basic workings of the search language 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...