How to Splunk Search a string if it contains a sub...

prithwirajbose · ‎08-16-2022

I have Splunk logs stored in this format (2 example dataset below):

{"org":"myorg","environment":"prod","proxyName":"myproxy","uriPath":"/getdata","verb":"POST","request":"\n \"city\":\"irving\",\n\"state\":\"TX\",\n\"isPresent\":\"Y\"","uid":"1234"}

{"org":"myorg","environment":"prod","proxyName":"myproxy","uriPath":"/getdata","verb":"POST","request":"\n\"city\":\"san diego\",\n\"state\":\"CA\",\n\"isPresent\":\"N\"","uid":"1234"}

I'm trying to find all records where isPresent is "Y". Now request is a string containing a JSON's string representation. So, I'm using a query like this:

\\"isPresent\\":\\"Y\\" uid=1234 AND request!=null

But this query is bringing up to isPresent=Y and isPresent=N records, effectively meaning that the filter is not working at all. Any idea how I can search a string to check if it contains a specific substring?

ITWhisperer · ‎08-16-2022

I don't think you have enough backslashes - try this

\\\"isPresent\\\":\\\"Y\\\" uid=1234 AND request!=null

How to Splunk Search a string if it contains a substring?

lookup

SplunkTrust Application Period is Officially OPEN!

Splunk Answers Content Calendar, June Edition II

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Are you a member of the Splunk Community?

How to Splunk Search a string if it contains a substring?

lookup

SplunkTrust Application Period is Officially OPEN!

Splunk Answers Content Calendar, June Edition II

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...