Splunk Search

Search term in table results

bullbasin
Explorer

Ok maybe it is too much Splunk today.  Whatever it is I can not for the life of me remember how to do this.

I am doing a basic search on some logs.  I want to show the search term in the table results.  The term is being queried out of the _raw

 

index=myindex sourcetype=mystuff Environment=thisone "THE_TERM"
| top Environment by userid
|  table  Environment, userid 

 



Where and how to I add "THE_TERM" to the table results?

Labels (1)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=myindex sourcetype=mystuff Environment=thisone "THE_TERM"
| eval option="THE_TERM"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
index=myindex sourcetype=mystuff Environment=thisone "THE_TERM"
| eval option="THE_TERM"

richgalloway
SplunkTrust
SplunkTrust

If the search term is a fixed string then just add it to the table command.

| table Environment, userid, "THE_TERM"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

bullbasin
Explorer

Unfortunately  it is not a fixed term or field.   It is just a random term for a search.  Similar to using a search in MS Word for "FOO" in a 10,000 page document.  Now I am trying to figure out how to make that useful in the table as a result.  I have tried an input file this morning but not familiar with working with that.  

Table desired....

Environmentuseridoption
abcdefghTHE TERM
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Where does the term come from?

---
If this reply helps you, Karma would be appreciated.
0 Karma

bullbasin
Explorer

The term is being queried out of the _raw.  Which is also the field "Log"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thank you, but I was wanting to learn where the random text "THE_TERM" comes from and how it gets into the query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...