Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to simply filter out text String from search results that has line breaks/return in it on SPLUNK Enterprise?

anonymous_hippo
Explorer
‎11-07-2021 07:11 AM

I'm really annoyed,  I am using SPLUNK Enterprise and I'm literally tryin to parse out some JSON (basically a String) from my Splunk Logs that has linebreaks after each field/key in the JSON string result , i.e.

 

Some random search results here {
  key1: value1
  key2: value2
  key3: value3
  }, some log message here

 

 

.... Like .* and many other REGEX chars work just fine in the search for some reason I tried all combinations of [\r\n\s]+ and such and get 0 results despite it working just fine in regex101.com online sandbox environment 

I think I read online from my searches that Splunk logs don't preserve the linebreaks, but if it doesn't do that, then what is the final result looking like then? because I tried querying with out whitespaces, or linebreaks, and every combination under the sun, and never got a "hit" back on my search results.

Also, I'm not using any of that REX crap as I don't need to extract anything; I just wanted to filter and maybe do a stats count on my results 

 

Can anyone provide a simple solution please thank you!

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-07-2021 10:24 AM

Exactly HOW are you trying to filter on those strings?  The search command does not recognize regular expressions so every regex will fail there.  It would help if you shared your query.

Not using rex (it's not crap :-)) is fine if you're not extracting fields, but consider using regex or a where command with the match function.

---
If this reply helps you, Karma would be appreciated.
Reply

anonymous_hippo
Explorer
‎11-07-2021 11:04 AM

Hi thanks for responding. I found a more ghetto solution where I just chained a bunch of AND statements together in the query, lol.

Also, I don't get what you mean that every regex will fail in the search command, because wildcard (*) and dot (.) operator work exactly as they do with normal regex and I use it all the time in the SEARCH query. 

It seems like some commands actually work while others do not? I stand corrected if I am wrong.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-07-2021 12:03 PM

Glad you worked it out.  Please consider sharing your solution so it might help someone else.

The search command does support "*" as a wildcard, but that is not same as in regex.  "*" in search means matches any number of any character, whereas "*" in regex matches any number of the character that precedes the "*".  Also, "." is not documented as a metacharacter in search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...