Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to search "keyword", but not operate on _raw field of the event?

abour
Explorer
‎07-13-2015 06:17 AM

Is there a way to use something like search "keyword", but not operate on the _raw field of the event, but let's say field1 and field2?

search field="keyword" is not the same as this is an exact match. Likewise, if using wildcards, the delimiter/word matching capability is gone. Is there any way to achieve this seemingly simple thing without needing to circle back to regular expression matching on fields?

I seem to be able to achieve something close via eval _raw=field1.field2 | search "keyword". Is it a bad idea to do this and is there a way to extract the original fields in that case or would they be lost?

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 07:24 AM

You could use both worlds:

index=foo sourcetype=bar field=*keyword* keyword | regex field=".*\bkeyword\b.*"

The basic search gets you as close as it can, and the regex throws out fringe events.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 03:29 PM

The second keyword is just there to speed things up, enabling Splunk to only load good potential matches off disk rather than everything.

0 Karma
Reply

abour
Explorer
‎07-13-2015 08:07 AM

Is that really the same? I think the second keyword instance would match on all fields while the wildcard version only matches field. The resulting set is not the same in all cases I believe.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2015 06:55 AM

Like this?

(field1=* AND field2=*) AND (field1="keyword" OR field2="keyword")

Or maybe this:

(field1=* AND field2=*) AND (field1=*keyword* OR field2=*keyword*)

Perhaps some of what you are experiencing is related to this frustrating situation, intrinsic to Splunk searching optimizations:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...