Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for specific text in field without additional text?

joesrepsol
Path Finder
‎09-26-2018 11:29 AM

Sorry for the strange title... couldn't think of anything better. Doing a search on a command field in Splunk with values like:
sudo su - somename
sudo su - another_name
sudo su -

And I'm only looking for the records "sudo su -". I don't want the records that match those characters and more... just records that ONLY contain "sudo su -". When I write the search Command="sudo su -" I still get the other records too. Struggling to figure this out.

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-26-2018 09:38 PM

There are lots of ways to make this happen.

You could use a sed mode rex to eliminate the part you don't care about, and if anything is left, keep the record...

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| eval testfield=Command
| rex mode=sed field=testfield "s/sudo\s+su\s+-//"
| where testfield!=""

You could use a regular expression that will only match if there are non-whitespace characters after the -

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| regex Command="\s*sudo\s+su\s+-[ \t]*\w"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-26-2018 09:38 PM

There are lots of ways to make this happen.

You could use a sed mode rex to eliminate the part you don't care about, and if anything is left, keep the record...

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| eval testfield=Command
| rex mode=sed field=testfield "s/sudo\s+su\s+-//"
| where testfield!=""

You could use a regular expression that will only match if there are non-whitespace characters after the -

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| regex Command="\s*sudo\s+su\s+-[ \t]*\w"
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-26-2018 11:42 AM

@joesrepsol

have you tried search command?

try this:

| makeresults | eval _raw=" Command
sudo su - somename
sudo su - another_name
sudo su -
" | multikv | search Command="sudo su -"
0 Karma
Reply
Solved! Jump to solution

joesrepsol
Path Finder
‎09-27-2018 08:34 AM

THANK YOU.

This seems to have worked! I'm a little confused why adding Command="sudo su -" in the normal search seemingly applies an asterisks to the value, but when adding it with the |search Command="sudo su -" doesnt?

Regardless its working, and thank you.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-27-2018 08:45 AM

Great.

Can you please accept the answer and upvote it to help the community?

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top