How to Splunk Search a string if it contains a sub...

prithwirajbose · ‎08-16-2022

I have Splunk logs stored in this format (2 example dataset below):

{"org":"myorg","environment":"prod","proxyName":"myproxy","uriPath":"/getdata","verb":"POST","request":"\n \"city\":\"irving\",\n\"state\":\"TX\",\n\"isPresent\":\"Y\"","uid":"1234"}

{"org":"myorg","environment":"prod","proxyName":"myproxy","uriPath":"/getdata","verb":"POST","request":"\n\"city\":\"san diego\",\n\"state\":\"CA\",\n\"isPresent\":\"N\"","uid":"1234"}

I'm trying to find all records where isPresent is "Y". Now request is a string containing a JSON's string representation. So, I'm using a query like this:

\\"isPresent\\":\\"Y\\" uid=1234 AND request!=null

But this query is bringing up to isPresent=Y and isPresent=N records, effectively meaning that the filter is not working at all. Any idea how I can search a string to check if it contains a specific substring?

ITWhisperer · ‎08-16-2022

I don't think you have enough backslashes - try this

\\\"isPresent\\\":\\\"Y\\\" uid=1234 AND request!=null

How to Splunk Search a string if it contains a substring?

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation