How to search and filter by a field that contains ...

teknet7 · ‎05-24-2016

Hello Team,

I could see a lot of discussions on this forum, but none solving my issue.

I have a log with content like this:

field number1: value1, Application Server=running, Database Server=running

When I try these searches:
Server="running" works fine, but with 'Application Server'="running" or "Application Server"="running" it's not. How can I filter by value of a field which has a space? I need to have logs with Application Server running (not Database Server running).

Thanks,
Michal

JL99 · ‎03-12-2024

You should able to do that with enclosing your field name with dollar sign ($)

$Application Server$="running"

Refer to: https://community.splunk.com/t5/Splunk-Search/Search-field-names-with-spaces-in-map-command-inner-se...

jsven7 · ‎08-08-2017

If you're looking for events with Server fields containing "running bunny", this works for me:

Server=*"running bunny"*

sjohnson_splunk · ‎05-24-2016

When you view the raw events in verbose search mode you should see the field names. What is the field name? If it is just "server" you should consider creating either an EXTRACT or REPORT in the props.conf for that source or sourcetype.

How to search and filter by a field that contains spaces?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to search and filter by a field that contains spaces?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR