Splunk Search
Highlighted

Search by Field's Value

Path Finder

So I have a search where I need to further search by the value of the field.

ie)
| eval EPHID = "EPH1406180001103"
| search EPHID

Searches for logs with "EPHID" and not "EPH1406180001103". Is there some way to search for the field's value and not the field?

Thanks!

Tags (2)
0 Karma
Highlighted

Re: Search by Field's Value

Motivator

Try the following:

| eval EPHID = "EPH1406180001103"
| where like(_raw,"%".EPHID."%")

View solution in original post

Highlighted

Re: Search by Field's Value

Explorer

Use a subsearch. Using your example as a starting point:

[| gentimes start=-1 | eval EPHID="EPH1406180001103" | rename EPHID as query | fields query ]

Presumably your search is more complex than your example. If you have a search that results in EPHID having one or more values, then the gentimes stanza will not be needed; replace gentimes and eval with that search instead. For example:

[search user="john.doe" | rename host as query | fields query]

will search for events with user "john.doe", get the host field from these, then search for that value in everything.

0 Karma
Highlighted

Re: Search by Field's Value

Path Finder

Having trouble understanding this. Do I need the user="john.doe" part? Why does this need to be done as a subsearch?

0 Karma
Highlighted

Re: Search by Field's Value

Path Finder

Let me give some more information:

I have a statement "eval entity="" " which is eventually set to some value which will only be a single value. Now, I need to further search the logs for this single value. Is there a way so that I search what entity equals as opposed to just its name?

0 Karma