Solved: Re: How to generate a search for an exact word pat...

danielcmarcosjr · ‎11-02-2016

Hi All,

I want to search a word in Splunk in a certain field for example "foo" and will return the following:

foo bar
only foo bar
only foo

and will not return:

foos
xfoo

somesoni2 · ‎11-02-2016

Give this a try (run anywhere search, replace everything before the where clause with your search, also replace the field1 with your field name)

| gentimes start=-1 | eval field1="foo bar#only foo bar#only foo#not foos#foox no#don't fool me" | table field1 | makemv field1 delim="#" | mvexpand field1 
| where match(field1,"(\s|^)foo(\s|$)")

View solution in original post

ddrillic · ‎11-04-2016

A good discussion about Splunk Search For Exact Word

@lguinn says -

inventsekar · ‎11-02-2016

Maybe, regex will help.

Your base search | regex "(\s|^)foo(\s|$)" 
Or
Your base search | regex "\bfoo\b"

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

danielcmarcosjr · ‎11-04-2016

Thanks a lot! 🙂 🙂 🙂

somesoni2 · ‎11-02-2016

Give this a try (run anywhere search, replace everything before the where clause with your search, also replace the field1 with your field name)

| gentimes start=-1 | eval field1="foo bar#only foo bar#only foo#not foos#foox no#don't fool me" | table field1 | makemv field1 delim="#" | mvexpand field1 
| where match(field1,"(\s|^)foo(\s|$)")

danielcmarcosjr · ‎11-02-2016

Hello,

Thank you for your reply however are there any syntax that I can use instead of hardcoding the "foo bar" ....
because the value is from text box.

somesoni2 · ‎11-02-2016

The value of textbox should be assigned to a token, just replace the foo in match function with that token, like this

your base search  | where match(field1,"(\s|^)$yourtextboxToken$(\s|$)")

danielcmarcosjr · ‎11-02-2016

hmm. but I believe it will not return result "only foo" because there are no spaces after foo.

somesoni2 · ‎11-02-2016

Have you tested it? (I provided a runanywhere query with sample data).

ddrillic · ‎11-02-2016

@somesoni2 - isn't there an exact phrase syntax such as "only foo"? you would expect it from a search engine...

somesoni2 · ‎11-02-2016

@Ddrillic, not sure I understood your question?

danielcmarcosjr · ‎11-02-2016

Hi,

What if it should be case insensitive?

DMohn · ‎11-02-2016

Add a (?i) at the start of the regex:

your base search  | where match(field1,"(?i)(\s|^)$yourtextboxToken1$(\s|$)") OR match(field1,"(?i)(\s|^)$yourtextboxToken2$(\s|$)") OR ....

danielcmarcosjr · ‎11-04-2016

Thanks a lot! 🙂 🙂 🙂

danielcmarcosjr · ‎11-02-2016

ow yes. it works. What if I have many textboxtoken that are in OR logical operator?

somesoni2 · ‎11-02-2016

Then you'll create match-expression for each of the token.

your base search  | where match(field1,"(\s|^)$yourtextboxToken1$(\s|$)") OR match(field1,"(\s|^)$yourtextboxToken2$(\s|$)") OR ....

gokadroid · ‎11-02-2016

Did you try *foo*, as that shall return foos and xfoo in events.

Updating as per comment, to search exactly "foo", try (foo) as a search term including the round brackets

danielcmarcosjr · ‎11-02-2016

Hi,

Thanks for your reply but it should not display that way.
It should be:

foo bar
only foo bar
only foo

gokadroid · ‎11-02-2016

that should be easy, try (foo) in search term so that it only searches whole word "foo", nothing more or less.

danielcmarcosjr · ‎11-02-2016

Hi,

I need to search in specific field.
like this
I believe it will return an error
field1=(foo)

gokadroid · ‎11-02-2016

Try regex to your rescue

your search to return field1
| regex field1=".*\sfoo\s.*"
| complete your search

How to generate a search for an exact word pattern?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services