Re: Issue with search query

mamulani11 · ‎03-21-2014

I have User_Id field in my log. In the user_Id field I have value like john,sonia,ces\ts1,......
Now when i am searching for john & sonia
I am getting the exact answer
But when I am searching for ces/ts1.I am getting no result found.
Can anyone please tell me whats the error. Is that search command doesn't take "\".
Please help......

the_wolverine · ‎04-08-2014

There are escape characters (particularly with the Windows Event Logs, I have noticed). If you're unsure of the syntax you can always search with a wildcard:

User_Id=*ts1

To the left of your results, you have a list of fields. Click on the User_Id field and select the match for your user "css/ts1". This will return the exact search string needed in the search bar for your reference.

martin_mueller · ‎03-21-2014

There appears to be a mix of forward slashes / and backslashes \ going on - make sure you're searching for the right kind.

somesoni2 · ‎03-21-2014

If there are special character in the field value, while searching then by value, your need to escape them. E.g. if user_id=ces/ts1 then in search use user_id="ces\/ts1"

kristian_kolb · ‎03-21-2014

please provide your exact search queries, and a few sample lines of your log file.

Issue with search query

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?