Splunk Search

How to search for specific text in field without additional text?

joesrepsol
Path Finder

Sorry for the strange title... couldn't think of anything better. Doing a search on a command field in Splunk with values like:
sudo su - somename
sudo su - another_name
sudo su -

And I'm only looking for the records "sudo su -". I don't want the records that match those characters and more... just records that ONLY contain "sudo su -". When I write the search Command="sudo su -" I still get the other records too. Struggling to figure this out.

Thanks!

Tags (1)
0 Karma
1 Solution

DalJeanis
Legend

There are lots of ways to make this happen.

You could use a sed mode rex to eliminate the part you don't care about, and if anything is left, keep the record...

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| eval testfield=Command
| rex mode=sed field=testfield "s/sudo\s+su\s+-//"
| where testfield!=""

You could use a regular expression that will only match if there are non-whitespace characters after the -

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| regex Command="\s*sudo\s+su\s+-[ \t]*\w"

View solution in original post

0 Karma

DalJeanis
Legend

There are lots of ways to make this happen.

You could use a sed mode rex to eliminate the part you don't care about, and if anything is left, keep the record...

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| eval testfield=Command
| rex mode=sed field=testfield "s/sudo\s+su\s+-//"
| where testfield!=""

You could use a regular expression that will only match if there are non-whitespace characters after the -

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| regex Command="\s*sudo\s+su\s+-[ \t]*\w"
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@joesrepsol

have you tried search command?

try this:

| makeresults | eval _raw=" Command
sudo su - somename
sudo su - another_name
sudo su -
" | multikv | search Command="sudo su -"
0 Karma

joesrepsol
Path Finder

THANK YOU.

This seems to have worked! I'm a little confused why adding Command="sudo su -" in the normal search seemingly applies an asterisks to the value, but when adding it with the |search Command="sudo su -" doesnt?

Regardless its working, and thank you.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Great.

Can you please accept the answer and upvote it to help the community?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...