I have Splunk logs stored in this format (2 example dataset below):
{"org":"myorg","environment":"prod","proxyName":"myproxy","uriPath":"/getdata","verb":"POST","request":"\n \"city\":\"irving\",\n\"state\":\"TX\",\n\"isPresent\":\"Y\"","uid":"1234"}
{"org":"myorg","environment":"prod","proxyName":"myproxy","uriPath":"/getdata","verb":"POST","request":"\n\"city\":\"san diego\",\n\"state\":\"CA\",\n\"isPresent\":\"N\"","uid":"1234"}
I'm trying to find all records where isPresent is "Y". Now request is a string containing a JSON's string representation. So, I'm using a query like this:
\\"isPresent\\":\\"Y\\" uid=1234 AND request!=null
But this query is bringing up to isPresent=Y and isPresent=N records, effectively meaning that the filter is not working at all. Any idea how I can search a string to check if it contains a specific substring?
I don't think you have enough backslashes - try this
\\\"isPresent\\\":\\\"Y\\\" uid=1234 AND request!=null