Re: Searching for text in a field using a wild car...

nkavouris · ‎02-24-2025

I have a field message in _raw that looks something like this:

"message":"test::hardware_controller: Unit state update from cook client target: Elements(temp: -, [F: 255, F: 255, F: 255, F: 255, F: 255, F: 255]), hw_state: Elements(temp: -, [F: 255, F: 255, F: 255, F: 255, F: 255, F: 255])"

I am looking to search for messages containing the bold section. , but when i search:

index="sample_idx" $serialnumber$ log_level=info message=*Unit state update from cook client target*|

this returns no results, even though I know events containing the wildcard phrase are present within the query index and timeframe

nkavouris · ‎02-25-2025

here is the raw event

{"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00",
"location":{"city":"XXXX","country":"XXXX","latitude":XXXX,"longitude":XXXX,"state":"XXXX"},"log_level":"info",
"message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\u0000",
"model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}

yuanliu · ‎02-25-2025

Are you sure those bare XXXX are not quoted, like this?

{"bootcount":8,"device_id":"XXXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:34:58.406-06:00",
"location":{"city":"XXXX","country":"XXXX","latitude":"XXXX","longitude":"XXXX","state":"XXXX"},"log_level":"info",
"message":"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\u0000",
"model_number":"XXXX","sequence":372246,"serial":"XXXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740033298,"timestamp_ms":1740033298406}

If so, a "normal" Splunk instance should have given you message as a field with value "martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])".

If, for whatever reason your instance doesn't, spath command suffices. Try this example:

| makeresults
| eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\",
\"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\",
\"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\",
\"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}"
| eval _time = json_extract(_raw, "timestamp")
``` data emulation above ```
| spath
| table message

Hint: output is

message

martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])

Alternatively, use json_extract function if your Splunk is 8.1 or later. Try this example:

| makeresults
| eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\",
\"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\",
\"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\",
\"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}"
| eval _time = json_extract(_raw, "timestamp")
``` data emulation above ```
| eval message = json_extract(_raw, "message")

If your instance is older, you can also use spath function. Try this example

| makeresults
| eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\",
\"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\",
\"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\",
\"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}"
| eval _time = spath(_raw, "timestamp")
``` data emulation above ```
| eval message = spath(_raw, "message")

ITWhisperer · ‎02-25-2025

Try this

| spath
| search message="*Unit state update from cook client target*"

nkavouris · ‎02-25-2025

this does not work as I understand it

index="mysearch" log_level=info|
spath|
search message="*Unit state update from cook client target*"

in fact it makes my search much slower, while still not yielding any results

yuanliu · ‎02-25-2025

Your search is slower compared with what? You don't need to run spath according to my analysis. Because Splunk has already extracted it, running spath simply wastes CPU and memory. But running a search with leading wildcard always slows things down considerably. (The way you try to use regex doesn't make things better.) Why do you need wildcards, anyway? Your search can be conducted in bare terms without considering the field. Try

index="sample_idx" $serialnumber$ log_level=info
  Unit state update from cook client target

Here's an emulation for you to play with and compare with real data

| makeresults
| eval _raw = "{\"bootcount\":8,\"device_id\":\"XXXX\",\"environment\":\"prod_walker\",\"event_source\":\"appliance\",\"event_type\":\"GENERIC\",\"local_time\":\"2025-02-20T00:34:58.406-06:00\",
\"location\":{\"city\":\"XXXX\",\"country\":\"XXXX\",\"latitude\":\"XXXX\",\"longitude\":\"XXXX\",\"state\":\"XXXX\"},\"log_level\":\"info\",
\"message\":\"martini::hardware_controller: Unit state update from cook client target: Elements(temp: -, [D, D, D, D, D, F: 0]), hw_state: Elements(temp: -, [D, D, D, D, D, F: 115])\\u0000\",
\"model_number\":\"XXXX\",\"sequence\":372246,\"serial\":\"XXXX\",\"software_version\":\"2.3.0.276\",\"ticks\":0,\"timestamp\":1740033298,\"timestamp_ms\":1740033298406}"
| eval _time = json_extract(_raw, "timestamp")
| spath
``` the abovee emulates
index="sample_idx" $serialnumber$ log_level=info
```
| search Unit state update from cook client target

yuanliu · ‎02-24-2025

Second what @ITWhisperer says. If the raw event is not completely in JSON, the event must have included a JSON message. In that case, Splunk would not have extracted JSON fields. But it is strongly recommended that you treat structured data as structured data and do not use regex to extract from them. The way to do this is to extract the JSON part into its own field so you can make structured extraction. Please post sample of complete event.

myitlab42000 · ‎02-24-2025

Hi,

try to enclose message=*Unit state update from cook client target* with double quote like this

message="*Unit state update from cook client target*".

I think the problem is white space between unit, state, ...,

I hope ti help

nkavouris · ‎02-25-2025

This works for certain strings, but not others, does whitespace before or after the desired string in the event effect it?

If I use the string descried above, this solution works, but with a different string it does not work. what gives?

myitlab42000 · ‎02-26-2025

Hi,

can you try this :

index="sample_idx" $serialnumber$ log_level=info | regex message="(?:Unit[\s]+state[\s]+update[\s]+from[\s]+cook[\s]+client[\s]+target)"

this try to filter data that contains the bold text with words separated by one or more space.

is that what you are looking for ?

i'm sorry if i misunderstand

ITWhisperer · ‎02-24-2025

This looks like json - has the event been ingested as json and the message field already been extracted?

nkavouris · ‎02-25-2025

No how would i do that? spath?

ITWhisperer · ‎02-25-2025

It depends on your complete raw event - spath is likely to be part of the solution. Please share your raw event (anonymised appropriately) in a code block using the </> button.

Searching for text in a field using a wild card

fields

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?