Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get events for exact matched string only in the field value

Meharkant123
New Member
‎04-25-2018 10:00 AM

I am searching :

index=web account_domain="INCCORP"

bur getting result which have account_doamain with "INCCORP","INCCOPR.NET", "-", "INCCORP.JIP" and so on(all field which have INCCORP in it)

Is there any query or command which will give events for only "INCCORP"? I would like to exclude remaining.
Much appreciate with your help.

Tags (4)
0 Karma
Reply

somesoni2
Revered Legend
‎04-25-2018 11:26 AM

I'm not sure if that's true. The index=web account_domain="INCCORP" should give events only with field account_domain has exact, but case in-sensitive, value INCCORP, as you're not using any wildcard here. Can you run following and see if you get just one row with account_domain=INCCORP or multiple rows for variations for it.

index=web account_domain="INCCORP" | stats count by account_domain
0 Karma
Reply

Meharkant123
New Member
‎04-25-2018 11:34 PM

my query was index=* account_domain="INCCORP"

result was like account_doamain with "INCCORP","INCCOPR.NET", "-",

0 Karma
Reply

DalJeanis
Legend
‎04-25-2018 10:34 AM

That behavior does not sound right. However, there are several options for making sure. Here are two...

| where (account_domain="INCCORP")

| search match(account_domain,"^INCCORP$")
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...