How to use punctuation in a search string: (), [],...

lzamora33 · ‎04-23-2020

Hi there,

Really basic question but I can't find a detailed answer.
Can someone explain the different uses of (), [], and example in the search app?

Thanks in advance.

rkyadav · ‎04-23-2020

example : (warn OR error) NOT fail*

Retrieves all events containing either
“warn” or “error”, but not those that
have “fail”, “fails”, “failed”, failure”,
etc.

example 2 : sourcetype=syslog [search login error | return user]

here, search command, like all commands, can be used as a subsearch—a
search whose results are used as an argument to another search command.
Subsearches are enclosed in square brackets. For example, to find
all syslog events from the user that had the last login error, use the following
command: sourcetype=syslog [search login error | return user]

hope it gives some help to your query

lzamora33 · ‎04-23-2020

last question, what happen whit a search between asterisks example source_type = asterisksexampleasterisks

rkyadav · ‎04-24-2020

when you search for sourcetype=example , it will fetch all sourcetype which has example as suffix or prefix .

like sourcetypes one_example or example_two will be displayed

lzamora33 · ‎04-23-2020

Thanks buddy, that's what i was looking for.

sensitive-thug · ‎04-27-2020

Thank you for asking a question, I'm glad you found a helpful answer from @rkyadav. If their answer solved your issue please accept their answer.

How to use punctuation in a search string: (), [], and *?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio