Splunk Search

Return tag pair if tag contains any value

rizwan0683
Explorer

I would like to return all messages that contains tag 6410. Currently the below will return all messages even if they do not contain tag 6410

index=gmrt_ett sourcetype=pubhub_emea TracingIncomingMessage "ET_OMS" | search "6401=POV"
| extract pairdelim=";" kvdelim="\=" clean_keys=false 
| dedup _raw  
| searcg 6410=(?.*)
| table 11,6410
Tags (1)
0 Karma

rizwan0683
Explorer

This will do it if anyone needs, simplere than I thought

 index=gmrt_ett sourcetype=pubhub_emea TracingIncomingMessage "ET_OMS" | search "6401=POV"
 | extract pairdelim=";" kvdelim="\=" clean_keys=false 
 | dedup _raw  
 | search 6410=*
 | table 11,6410
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!