Splunk Search

Why would a basic substring search fail?

Communicator

These two searches don't return the same thing, and I think they should. The first one returns nothing, the second one returns some events.

Search1:

index=abc toto3

Search2:

index=abc _raw=*toto3*

In other words, clearly I have some events which contain toto3. Search2 proves it, but they are not returned by search1 when I would expect them to be. Does anybody know how this can be possible?

Tags (2)
0 Karma

Motivator

A search like this:

index=abc toto3 

does not perform a substring search. It performs a search for a word (technically a segment) that is equal to "toto3", as in toto3 is in my event. To perform a substring search in Splunk, you use the wildcards like your second search or like what @sanjay.shrestha posted:

index=abc *toto3*

This finds toto3 when it is inside a segment but does not make up the complete segment, like toto3isin my event.

So the answer to your question is that the substring search is not failing. index=abc toto3 is not a substring search, but index=abc *toto3* is.

Contributor

Can you try:

index=abc "toto3"
0 Karma

Communicator

yes that's returns some events too. Like Search 2 does.

0 Karma

Communicator

That doesn't return anything, like search 1.

0 Karma

Contributor

I think toto3 is not a complete word. So you can try

 index=abc "*toto3*"
0 Karma

Contributor

When toto3 was used; splunk looks for single word toto3.

0 Karma

Communicator

yes it looks like it does that, indeed, but it's not supposed to that.

0 Karma