Splunk Search
Highlighted

How to get Splunk btool command to return an exact match?

Communicator

Hi,

I have savedsearches like:

dev_sudo
dev_sudo mod
dev_sudo mod2

How to dump the first with btool?
If I use splunk cmd btool savedsearches list dev_sudo - I get all three results. I need to dump only exact match

0 Karma
Highlighted

Re: How to get Splunk btool command to return an exact match?

SplunkTrust
SplunkTrust

I'm not sure you can. The help for btool says " btool [options] CONFFILE {list|layer|add|delete} [stanzaPrefix]", which tells me btool adds an implicit "*" to the last argument. For example, "splunk btool savedsearches list devsudo*".

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to get Splunk btool command to return an exact match?

Communicator

If somebody will need it, something like this should work:

| sed 's/^[^ ]\+ \+//g' | tr '\n' '~' | sed 's/^\(\[[^\[]\+\).*/\1/g' | tr '~' '\n'

It assumes that the exact match will be first.

View solution in original post

0 Karma
Highlighted

Re: How to get Splunk btool command to return an exact match?

Motivator

I like grep -P

-P, --perl-regexp
Interpret the pattern as a Perl-compatible regular expression (PCRE).

splunk cmd btool savedsearches list | grep -P "dev_sudo$"

and if you are only looking to scrape the matching regex...
-o, --only-matching
Print only the matched (non-empty) parts of a matching line, with each such part on a separate output line.

splunk cmd btool savedsearches list  | grep -Po "dev_sudo$"
0 Karma