Splunk Search

How do you search for a specific word when you don't know what the field is?

brewster88
New Member

Heya Guys,

I'm very new to Splunk and this is likely an obvious answer or I have skimmed across documentation and missed it.

So at the moment, we are ingesting logs from Google cloud, and I am interested in finding specific words such as 'error', 'fail', etc. However, I do not know the specific field name where this might appear.

Is there a search I could run as a sort of catch all that could pick up on this within our environment?

Something like the below?

index="gcp_logs" (message contains 'error' OR 'fail*') 

Any help would be appreciated.

Tom

Tags (3)
0 Karma
1 Solution

FrankVl
Ultra Champion

Assuming those words occur in the raw event, just enter those words as search terms: index="gcp_logs" ("error" OR "fail*")

Have you gone through the Fundamentals 1 training course yet? If not: I can really recommend it. It's a great introduction into the concepts of Splunk and the basic workings of the search language 🙂

View solution in original post

0 Karma

brewster88
New Member

Really useful guys, this was exactly what I was after!

Will be starting the Splunk Fundamentals shortly as well 🙂

Kind Regards,

Tom

0 Karma

dkeck
Influencer

HI,

just simple search for the word

index="gcp_logs" error

BUT keep in mind there will be an AND between a error and another word you want to search.

So if you search for error fail, add a OR if you want events with both. so error OR fail

0 Karma

FrankVl
Ultra Champion

Assuming those words occur in the raw event, just enter those words as search terms: index="gcp_logs" ("error" OR "fail*")

Have you gone through the Fundamentals 1 training course yet? If not: I can really recommend it. It's a great introduction into the concepts of Splunk and the basic workings of the search language 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...