Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract the whole string based on substring?

vastav_n
New Member
‎04-13-2022 06:48 AM

I have a record that results because it matches a particular sub string. Now, I want to extract the whole string the substring is part of.
For ex. I give process completed as the sub string with my query which results in a record. This record has Takeover process completed with 390 files. Now, I want to get the whole Takeover process completed with 390 files string. How do I do this? Can somebody please help.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-14-2022 12:03 AM

The easiest thing to do is to just search for "process completed". As simple as that. In case you want to match this only to a particular field, you could use a more tricky method (it should be more effective than simple wildcard search due to the way splunk works)

"process completed" | search field="*process completed*"

or something like that.

But the question is if that's what you mean.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-13-2022 08:30 AM

Hi @vastav_n,

let me understand:

  • you want to perform a search using a string (e.g. "travel"),
  • then you want to display all the field containing the string.

Is it correct?

this is possible if you have the message to display in a field (called e.g. "message") and running something like this:

your_search "travel"
| eval check=if(like(message,"%travel%"),"yes","not")
| search check="yes"
| table _time message

Ciao.

Giuseppe

0 Karma
Reply

vastav_n
New Member
‎04-13-2022 09:07 AM

Hi @gcusello , thanks for replying. 
Yes, you understood my issue correctly. Actually this is almost the same solution I have right now. The only issue is I have multiple message fields, and if I run this it gives me the string of the first occurrence of message instead of the message  which matches my sub-string.
For ex. this is how my event looks like:

 

 

time=2022-04-13T07:00:34,276Z traceName= correlationId= level=INFO logger=PortfolioFetcher message="Calling" source="TakeOver/file3"
time=2022-04-13T07:00:34,278Z traceName= correlationId= level=INFO logger=PortfolioFetcher message="Calling" source="TakeOver/file5"
time=2022-04-13T07:00:34,281Z traceName= correlationId= level=INFO logger=PortfolioFetcher message="Calling" source="TakeOver/file2"
time=2022-04-13T07:00:35,213Z traceName= correlationId= level=INFO logger=DataFetcher message="Takeover process completed with 390_38 files" source="TakeOver/file1"

 

 


Now, I want to use sub string "process completed" to get string  "Takeover process completed with 390_38 files" .

If you could help with this, that would be really awesome of you!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-13-2022 11:34 PM

Hi @vastav_n,

let me understand: the samples you shared are different events, is it correct?

do you want to display all events or only the one matching the "process completed" string?

if only the matching string, my solution should work for you:

your_search "travel"
| eval check=if(like(message,"%process completed%"),"yes","not")
| search check="yes"
| table _time message

what is the result of my search?

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top