Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search string abc/efg in log using multiselect field?

wangkevin1029
Communicator
‎11-17-2022 02:14 PM

Hi, Splunkers, 

 

I  want to search string like abc/efg in my log using  multiselect field. 

I directly defined this  search value  abc/efg in multiselect field , token  name "keyword"

in my query, I use $keyword" to search,  it doesn't' work,  I also try  abc\/efg, it doesn't work either,  but other normal string works here.

 

any ideas? 

 

thx in advance.

 

Kevin

 

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-17-2022 03:10 PM

Depending on data, some methods can be more efficient than others.  Here is the most generic method if you truly want to search for a string that may appear anywhere in the event. (In other words, you must satisfy ("*abc*" OR "*efg*"). Extremely expensive.)

<input type="multiselect" token="keyword">
  <choice value="abc">abc</choice>
  <choice value="efg">efg</choice>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <delimiter> OR </delimiter>
  <valuePrefix>&quot;*</valuePrefix>
  <valueSuffix>*&quot;</valueSuffix>
</input>

Then in search, you just say $keyword$.  There can be many variations of this, especially in regard to prefix and suffix.  For example, you can include all the asterisk, quotation mark, in value and do not use <valuePrefix/> and <valueSuffix/>; you can also do ($keyword$) in search and do away with <prefix/> and <suffix/>. (This question better belongs to reporting & dashboard forum.)

0 Karma
Reply

wangkevin1029
Communicator
‎11-17-2022 07:03 PM

I  retried  abc\/efg, it works now, thx you, anyway.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...