How to search string abc/efg in log using multise...

wangkevin1029 · ‎11-17-2022

Hi, Splunkers,

I want to search string like abc/efg in my log using multiselect field.

I directly defined this search value abc/efg in multiselect field , token name "keyword"

in my query, I use $keyword" to search, it doesn't' work, I also try abc\/efg, it doesn't work either, but other normal string works here.

any ideas?

thx in advance.

Kevin

yuanliu · ‎11-17-2022

Depending on data, some methods can be more efficient than others. Here is the most generic method if you truly want to search for a string that may appear anywhere in the event. (In other words, you must satisfy ("*abc*" OR "*efg*"). Extremely expensive.)

<input type="multiselect" token="keyword">
  <choice value="abc">abc</choice>
  <choice value="efg">efg</choice>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <delimiter> OR </delimiter>
  <valuePrefix>&quot;*</valuePrefix>
  <valueSuffix>*&quot;</valueSuffix>
</input>

Then in search, you just say $keyword$. There can be many variations of this, especially in regard to prefix and suffix. For example, you can include all the asterisk, quotation mark, in value and do not use <valuePrefix/> and <valueSuffix/>; you can also do ($keyword$) in search and do away with <prefix/> and <suffix/>. (This question better belongs to reporting & dashboard forum.)

wangkevin1029 · ‎11-17-2022

I retried abc\/efg, it works now, thx you, anyway.

How to search string abc/efg in log using multiselect field?

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation