Hi All,
I want to search a word in Splunk in a certain field for example "foo" and will return the following:
foo bar
only foo bar
only foo
and will not return:
foos
xfoo
Give this a try (run anywhere search, replace everything before the where clause with your search, also replace the field1 with your field name)
| gentimes start=-1 | eval field1="foo bar#only foo bar#only foo#not foos#foox no#don't fool me" | table field1 | makemv field1 delim="#" | mvexpand field1
| where match(field1,"(\s|^)foo(\s|$)")
thanks. but it will not return result if the foo is the last word.
wow...
your search to return field1
| regex field1="(.*(^|\s)foo(\s|\n).*)"
| complete your search
see this please
Thanks a lot!
![]()