Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with search query

mamulani11
New Member
‎03-21-2014 04:15 AM

I have User_Id field in my log. In the user_Id field I have value like john,sonia,ces\ts1,......
Now when i am searching for john & sonia
I am getting the exact answer
But when I am searching for ces/ts1.I am getting no result found.
Can anyone please tell me whats the error. Is that search command doesn't take "\".
Please help......

Tags (1)
0 Karma
Reply

the_wolverine
Champion
‎04-08-2014 04:49 PM

There are escape characters (particularly with the Windows Event Logs, I have noticed). If you're unsure of the syntax you can always search with a wildcard:

User_Id=*ts1

To the left of your results, you have a list of fields. Click on the User_Id field and select the match for your user "css/ts1". This will return the exact search string needed in the search bar for your reference.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-21-2014 06:54 AM

There appears to be a mix of forward slashes / and backslashes \ going on - make sure you're searching for the right kind.

0 Karma
Reply

somesoni2
Revered Legend
‎03-21-2014 06:25 AM

If there are special character in the field value, while searching then by value, your need to escape them. E.g. if user_id=ces/ts1 then in search use user_id="ces\/ts1"

0 Karma
Reply

kristian_kolb
Ultra Champion
‎03-21-2014 04:26 AM

please provide your exact search queries, and a few sample lines of your log file.

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...