Solved: Surrounding Search terms with quotes

sleepingKoala · ‎10-21-2021

Hi all, new user here. I was getting started on the tutorial and using the start searching page that came up after adding the data successfully I'm seeing behaviour I don't understand.

The search
index="splunktutorial" source="tutorialdata.zip:*" "categoryid=sports"
returns results but

index="splunktutorial" source="tutorialdata.zip:*" categoryid="sports"
or
index="splunktutorial" source="tutorialdata.zip:*" categoryid=sports
don't return results.
To be more confusing I added the condition action=purchase to the search that returned results and it worked as expected to return results where the action was "purchase".

https://docs.splunk.com/Documentation/SCS/current/Search/Quotations
The splunk documentation for quotation says all string literals must be in double quotes but gives no examples where the field has to be included. Both categoryid and action are classified as strings.

Any help understanding what is going on would be appreciated.

richgalloway · ‎10-21-2021

The first search looks for the literal string "categoryid=sports" in any field. The others look for a field called "categoryid" with a value of "sports". If the categoryid field doesn't exist then no results will be returned.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

PickleRick · ‎10-21-2021

Within an SPL search you indeed use quotes to enclose literal strings. You don't need it however for if you search for simple terms. For example

index=whatever something anything everything

Is a valid SPL search and will look within an index named whatever for events in which all specified terms - "something", "anything" and "everything" occur in any place and in any order (Remember that there is an implied AND between conditions).

But if you use quotes and modify your search to

index=whatever "something anything everything"

you'll be searching within the index whatever for this whole given sentence literarily as you provided it in quotes.

Furthermore, in your examples if you type

field=value

or

field="some other value with spaces and so on..."

You're telling Splunk to search for events in which a given field has a value you provided (unless you used wildcards, you're searching for a complete match - but case-insensitive - to a given field value)

And lastly the form of

"field=value"

Tells Splunk to look for a literal string "field=value" within the event.

You can even do

field="field=value"

Which will search for events which have a field that contains a string "field=value".

And about your searches - maybe you don't have a field categoryid in your data (remember that field names are case-sensitive, so categoryid is not the same as categoryId).

Try just searching within your index without further conditions and check your list of fields. Maybe there's some mistake.

richgalloway · ‎10-21-2021

The first search looks for the literal string "categoryid=sports" in any field. The others look for a field called "categoryid" with a value of "sports". If the categoryid field doesn't exist then no results will be returned.

---
If this reply helps you, Karma would be appreciated.

sleepingKoala · ‎10-21-2021

This was indeed the problem, the field name was categoryId (capital i) not categoryid so the search surrounded in quotations ignored case when searching. I didn't look closely because it was an autocomplete suggestion from the search assistant. I was under the impression it knew the field names.

Surrounding Search terms with quotes

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!