Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Surrounding Search terms with quotes

sleepingKoala
Engager
‎10-21-2021 10:59 AM

Hi all, new user here. I was getting started on the tutorial and using the start searching page that came up after adding the data successfully I'm seeing behaviour I don't understand.

The search
index="splunktutorial" source="tutorialdata.zip:*"  "categoryid=sports"
returns results but

index="splunktutorial" source="tutorialdata.zip:*" categoryid="sports"
or
index="splunktutorial" source="tutorialdata.zip:*" categoryid=sports
don't return results.
To be more confusing I added the condition  action=purchase  to the search that returned results and it worked as expected to return results where the action was "purchase".

https://docs.splunk.com/Documentation/SCS/current/Search/Quotations
The splunk documentation for quotation says all string literals must be in double quotes but gives no examples where the field has to be included. Both categoryid and action are classified as strings.

Any help understanding what is going on would be appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2021 11:39 AM

The first search looks for the literal string "categoryid=sports" in any field.  The others look for a field called "categoryid" with a value of "sports".  If the categoryid field doesn't exist then no results will be returned.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-21-2021 11:42 AM

Within an SPL search you indeed use quotes to enclose literal strings. You don't need it however for if you search for simple terms. For example

 

index=whatever something anything everything

 

Is a valid SPL search and will look within an index named whatever for events in which all specified terms - "something", "anything" and "everything" occur in any place and in any order (Remember that there is an implied AND between conditions).

But if you use quotes and modify your search to

 

index=whatever "something anything everything"

 

you'll be searching within the index whatever for this whole given sentence literarily as you provided it in quotes.

Furthermore, in your examples if you type

 

field=value

 

or

 

field="some other value with spaces and so on..."

 

You're telling Splunk to search for events in which a given field has a value you provided (unless you used wildcards, you're searching for a complete match - but case-insensitive - to a given field value)

And lastly the form of

 

"field=value"

 

Tells Splunk to look for a literal string "field=value" within the event.

You can even do

 

field="field=value"

 

Which will search for events which have a field that contains a string "field=value".

And about your searches - maybe you don't have a field categoryid in your data (remember that field names are case-sensitive, so categoryid is not the same as categoryId).

Try just searching within your index without further conditions and check your list of fields. Maybe there's some mistake.

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2021 11:39 AM

The first search looks for the literal string "categoryid=sports" in any field.  The others look for a field called "categoryid" with a value of "sports".  If the categoryid field doesn't exist then no results will be returned.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sleepingKoala
Engager
‎10-21-2021 11:54 AM

This was indeed the problem, the field name was categoryId (capital i) not categoryid so the search surrounded in quotations ignored case when searching. I didn't look closely because it was an autocomplete suggestion from the search assistant. I was under the impression it knew the field names.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...