Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search string abc/efg in log using multiselect field?

wangkevin1029
Communicator
‎11-17-2022 02:14 PM

Hi, Splunkers, 

 

I  want to search string like abc/efg in my log using  multiselect field. 

I directly defined this  search value  abc/efg in multiselect field , token  name "keyword"

in my query, I use $keyword" to search,  it doesn't' work,  I also try  abc\/efg, it doesn't work either,  but other normal string works here.

 

any ideas? 

 

thx in advance.

 

Kevin

 

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-17-2022 03:10 PM

Depending on data, some methods can be more efficient than others.  Here is the most generic method if you truly want to search for a string that may appear anywhere in the event. (In other words, you must satisfy ("*abc*" OR "*efg*"). Extremely expensive.)

<input type="multiselect" token="keyword">
  <choice value="abc">abc</choice>
  <choice value="efg">efg</choice>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <delimiter> OR </delimiter>
  <valuePrefix>&quot;*</valuePrefix>
  <valueSuffix>*&quot;</valueSuffix>
</input>

Then in search, you just say $keyword$.  There can be many variations of this, especially in regard to prefix and suffix.  For example, you can include all the asterisk, quotation mark, in value and do not use <valuePrefix/> and <valueSuffix/>; you can also do ($keyword$) in search and do away with <prefix/> and <suffix/>. (This question better belongs to reporting & dashboard forum.)

0 Karma
Reply

wangkevin1029
Communicator
‎11-17-2022 07:03 PM

I  retried  abc\/efg, it works now, thx you, anyway.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...