Splunk Search

search brackets and special charachters

mehrdad_2000
Path Finder

Hi

How can search something like this: 

40: message.body.v10.timeLocalTransaction: [00*]

 

FYI: seems not support special char in search.

 

Thanks,

Labels (1)
0 Karma
1 Solution

ITWhisperer
Ultra Champion
| makeresults | eval event="40: message.body.v10.timeLocalTransaction: [001]"
| regex event="40: message.body.v10.timeLocalTransaction: \[00.+\]"

View solution in original post

0 Karma

ITWhisperer
Ultra Champion

Special characters need to be escaped

| makeresults | eval event="40: message.body.v10.timeLocalTransaction: [00*]"
| regex event="40: message.body.v10.timeLocalTransaction: \[00\*\]"
0 Karma

mehrdad_2000
Path Finder

star is wild card not "*"

e.x

[001]

[000008]

[0032]

0 Karma

ITWhisperer
Ultra Champion
| makeresults | eval event="40: message.body.v10.timeLocalTransaction: [001]"
| regex event="40: message.body.v10.timeLocalTransaction: \[00.+\]"

View solution in original post

0 Karma

mehrdad_2000
Path Finder

It work but slow!

is it possible to do this faster? I mean tune spl command?

 

Thanks,

0 Karma

ITWhisperer
Ultra Champion

Where is it slow? Analyse the job inspector to see where processing is taking place, then look to see if you can modify the query to improve the performance. Sometimes, large amounts of data take a long time to process!

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!