Solved: Re: How do you search for a specific word when you...

brewster88 · ‎01-21-2019

Heya Guys,

I'm very new to Splunk and this is likely an obvious answer or I have skimmed across documentation and missed it.

So at the moment, we are ingesting logs from Google cloud, and I am interested in finding specific words such as 'error', 'fail', etc. However, I do not know the specific field name where this might appear.

Is there a search I could run as a sort of catch all that could pick up on this within our environment?

Something like the below?

index="gcp_logs" (message contains 'error' OR 'fail*')

Any help would be appreciated.

Tom

FrankVl · ‎01-21-2019

Assuming those words occur in the raw event, just enter those words as search terms: index="gcp_logs" ("error" OR "fail*")

Have you gone through the Fundamentals 1 training course yet? If not: I can really recommend it. It's a great introduction into the concepts of Splunk and the basic workings of the search language 🙂

View solution in original post

brewster88 · ‎01-21-2019

Really useful guys, this was exactly what I was after!

Will be starting the Splunk Fundamentals shortly as well 🙂

Kind Regards,

Tom

dkeck · ‎01-21-2019

HI,

just simple search for the word

index="gcp_logs" error

BUT keep in mind there will be an AND between a error and another word you want to search.

So if you search for error fail, add a OR if you want events with both. so error OR fail

FrankVl · ‎01-21-2019

Assuming those words occur in the raw event, just enter those words as search terms: index="gcp_logs" ("error" OR "fail*")

Have you gone through the Fundamentals 1 training course yet? If not: I can really recommend it. It's a great introduction into the concepts of Splunk and the basic workings of the search language 🙂

How do you search for a specific word when you don't know what the field is?

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake