Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get events for exact matched string only in the field value

Meharkant123
New Member
‎04-25-2018 10:00 AM

I am searching :

index=web account_domain="INCCORP"

bur getting result which have account_doamain with "INCCORP","INCCOPR.NET", "-", "INCCORP.JIP" and so on(all field which have INCCORP in it)

Is there any query or command which will give events for only "INCCORP"? I would like to exclude remaining.
Much appreciate with your help.

Tags (4)
0 Karma
Reply

somesoni2
Revered Legend
‎04-25-2018 11:26 AM

I'm not sure if that's true. The index=web account_domain="INCCORP" should give events only with field account_domain has exact, but case in-sensitive, value INCCORP, as you're not using any wildcard here. Can you run following and see if you get just one row with account_domain=INCCORP or multiple rows for variations for it.

index=web account_domain="INCCORP" | stats count by account_domain
0 Karma
Reply

Meharkant123
New Member
‎04-25-2018 11:34 PM

my query was index=* account_domain="INCCORP"

result was like account_doamain with "INCCORP","INCCOPR.NET", "-",

0 Karma
Reply

DalJeanis
Legend
‎04-25-2018 10:34 AM

That behavior does not sound right. However, there are several options for making sure. Here are two...

| where (account_domain="INCCORP")

| search match(account_domain,"^INCCORP$")
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...