Splunk Search

How to generate a search for an exact word pattern?

danielcmarcosjr
Explorer

Hi All,

I want to search a word in Splunk in a certain field for example "foo" and will return the following:

foo bar
only foo bar
only foo

and will not return:

foos
xfoo

Tags (1)
1 Solution

somesoni2
Revered Legend

Give this a try (run anywhere search, replace everything before the where clause with your search, also replace the field1 with your field name)

| gentimes start=-1 | eval field1="foo bar#only foo bar#only foo#not foos#foox no#don't fool me" | table field1 | makemv field1 delim="#" | mvexpand field1 
| where match(field1,"(\s|^)foo(\s|$)")

View solution in original post

danielcmarcosjr
Explorer

thanks. but it will not return result if the foo is the last word.

0 Karma

gokadroid
Motivator

:slightly_smiling_face: wow...

your search to return field1
 | regex field1="(.*(^|\s)foo(\s|\n).*)"
 | complete your search

see this please

0 Karma

danielcmarcosjr
Explorer

Thanks a lot! :slightly_smiling_face: :slightly_smiling_face: :slightly_smiling_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...