How to search and filter by a field that contains ...

teknet7 · ‎05-24-2016

Hello Team,

I could see a lot of discussions on this forum, but none solving my issue.

I have a log with content like this:

field number1: value1, Application Server=running, Database Server=running

When I try these searches:
Server="running" works fine, but with 'Application Server'="running" or "Application Server"="running" it's not. How can I filter by value of a field which has a space? I need to have logs with Application Server running (not Database Server running).

Thanks,
Michal

JL99 · ‎03-12-2024

You should able to do that with enclosing your field name with dollar sign ($)

$Application Server$="running"

Refer to: https://community.splunk.com/t5/Splunk-Search/Search-field-names-with-spaces-in-map-command-inner-se...

jsven7 · ‎08-08-2017

If you're looking for events with Server fields containing "running bunny", this works for me:

Server=*"running bunny"*

sjohnson_splunk · ‎05-24-2016

When you view the raw events in verbose search mode you should see the field names. What is the field name? If it is just "server" you should consider creating either an EXTRACT or REPORT in the props.conf for that source or sourcetype.

How to search and filter by a field that contains spaces?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to search and filter by a field that contains spaces?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...