Splunk Search

Searching string with patterns

akki2428
New Member

Hi, I would want to search for all results for this specific string pattern

'record has not been created for id XXXXXXXXXX,XXXXXXXXXX in DB'

Note that:
XXXXXXXXXX is a variable value, always of 10 character.
Sample text: 'record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB'
Any help would be highly appreciated. Thanks

0 Karma
1 Solution

whrg
Motivator

Hello @akki2428,

Check out the regex command:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| regex _raw="record has not been created for id \w{10},\w{10} in DB"

Somewhat more flexible, you could also extract the ID as new fields and filter on these fields:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| rex field=_raw "record has not been created for id (?<id1>\w+),(?<id2>\w+) in DB"
| eval len_id1=len(id1) | eval len_id2=len(id2)
| search len_id1=10 len_id2=10

View solution in original post

0 Karma

whrg
Motivator

Hello @akki2428,

Check out the regex command:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| regex _raw="record has not been created for id \w{10},\w{10} in DB"

Somewhat more flexible, you could also extract the ID as new fields and filter on these fields:

| makeresults | eval _raw="record has not been created for id x1IoGPTIBP,x1IoGPTIBP in DB"
| rex field=_raw "record has not been created for id (?<id1>\w+),(?<id2>\w+) in DB"
| eval len_id1=len(id1) | eval len_id2=len(id2)
| search len_id1=10 len_id2=10
0 Karma

akki2428
New Member

Thanks @whrg , I tried using this command. It returns record just for id x1IoGPTIBP. All other records are missed.

0 Karma

whrg
Motivator

@akki2428 The search query above using makeresults creates only one record for testing purposes. Your search should be something like this:

index=yourindex sourcetype=...
| regex _raw="record has not been created for id \w{10},\w{10} in DB"

If that does not work, perhaps you could post some other records.

0 Karma

akki2428
New Member

Sorry for being a splunk noob @whrg . This works as expected. Thanks

0 Karma

akki2428
New Member

Hi @whrg . If instead of length, I want to compare if both IDs are equal, then just |search id1=id2 should work? I tried but it is not returning any result

0 Karma

whrg
Motivator

The search command's syntax is FIELD=VALUE. So |search id1=id2 will filter for the field id1 containing the string "id2".

You want to use where instead of seach. where evaluates boolean expressions. Try: |where id1==id2

This should also work:

| regex _raw="record has not been created for id (\w{10}),\1 in DB"
0 Karma

akki2428
New Member

Hi @whrg , My search string is now - "record failed (state error) for ID x1IoGPTIBP". It doesn't extract the id I guess because of (state error) included in search string. How can we escape this.

| makeresults | eval _raw="record  failed (state error) for  ID x1IoGPTIBP"
 | rex field=_raw "record  failed (state error) for  ID (?<id1>\w+)"
 | table id1
0 Karma

whrg
Motivator

Hello @akki2428, use back slashes to escape special characters:

| makeresults | eval _raw="record  failed (state error) for  ID x1IoGPTIBP"
| rex field=_raw "record  failed \(state error\) for  ID (?<id1>\w+)"
| table id1
0 Karma

mydog8it
Builder

The proposed search uses "makeresults" to be the data generator. You will need to provide the data generator part of the command to replace the "makeresults portion of the suggested search. If you create a search to pipe to the regex it should match more than the two you provided.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...