Splunk Search

Query for returning only the matching events?

dougtoppin
Engager

I have been wondering how to query for and return only events that contain my search term (I'm using dashboard panels). Whenever I query now I get a long list of events in the response with the ones that I am interested in and many others that I do not want to see. The query response does highlight the one that I am interested in but surrounds it with a few events before and a couple of hundred other events after from the same time period. This clutters up my panel and wastes display space. I've been checking the documentation but have not seen anything that tells me how to return only the events containing my search term.

0 Karma
1 Solution

jayannah
Builder

It looks like you have to fix the line breaking for the input file.

1. whats in your props.conf for this sourcetype?
2. Do you see one line of log as one line event in splunk?
3. Give sample of few log events and the line breaking condition

if you fix line breaking, i think it should work fine.

View solution in original post

0 Karma

dougtoppin
Engager

tks for your answer. I don't control (and can't even see) the props.conf so I did not realize that it might not be treating line breaks as individual events. I will find out and see if that is what is causing my problems.

0 Karma

jayannah
Builder

How many lines of log events you see in one splunk event?

0 Karma

dougtoppin
Engager

It looks like 260 lines are in one event. Now I realize that each thing in the response box is an individual event so it makes sense to me. I will find out how it is configured.

0 Karma

jayannah
Builder

Good. The event breaking is the root cause. .

0 Karma

jayannah
Builder

It looks like you have to fix the line breaking for the input file.

1. whats in your props.conf for this sourcetype?
2. Do you see one line of log as one line event in splunk?
3. Give sample of few log events and the line breaking condition

if you fix line breaking, i think it should work fine.

0 Karma

jayannah
Builder

Can you please elaborate with example? would like to more on what is your search query looks like, the result u see and the result u expect..

0 Karma

dougtoppin
Engager

It is a JBoss server log that is being indexed and my search term is: host=myhost "worda:wordb"

The host is the one that the log is being collected from and the events that I want returned contain exactly the text "worda:wordb".

I still do not understand queries in that the above query return almost 300 lines from the server log with the one line that has the above text in it highlighted so it knows what I am looking for. I want the query to return only the line(s) that contain exactly the above text.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...