Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get Splunk btool command to return an exact match?

lukasz92
Communicator
‎12-15-2016 02:54 AM

Hi,

I have savedsearches like:

dev_sudo
dev_sudo mod
dev_sudo mod2

How to dump the first with btool?
If I use splunk cmd btool savedsearches list dev_sudo - I get all three results. I need to dump only exact match

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukasz92
Communicator
‎12-15-2016 06:46 AM

If somebody will need it, something like this should work:

| sed 's/^[^ ]\+ \+//g' | tr '\n' '~' | sed 's/^\(\[[^\[]\+\).*/\1/g' | tr '~' '\n'

It assumes that the exact match will be first.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bandit
Motivator
‎12-08-2018 03:58 PM

I like grep -P

-P, --perl-regexp
Interpret the pattern as a Perl-compatible regular expression (PCRE).

splunk cmd btool savedsearches list | grep -P "dev_sudo$"

and if you are only looking to scrape the matching regex...
-o, --only-matching
Print only the matched (non-empty) parts of a matching line, with each such part on a separate output line.

splunk cmd btool savedsearches list  | grep -Po "dev_sudo$"
0 Karma
Reply
Solved! Jump to solution
Solution

lukasz92
Communicator
‎12-15-2016 06:46 AM

If somebody will need it, something like this should work:

| sed 's/^[^ ]\+ \+//g' | tr '\n' '~' | sed 's/^\(\[[^\[]\+\).*/\1/g' | tr '~' '\n'

It assumes that the exact match will be first.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2016 05:10 AM

I'm not sure you can. The help for btool says " btool [options] CONF_FILE {list|layer|add|delete} [stanzaPrefix]", which tells me btool adds an implicit "*" to the last argument. For example, "splunk btool savedsearches list dev_sudo*".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...