Solved: Re: search brackets and special charachters

indeed_2000 · ‎03-27-2021

Hi

How can search something like this:

40: message.body.v10.timeLocalTransaction: [00*]

FYI: seems not support special char in search.

Thanks,

ITWhisperer · ‎03-28-2021

| makeresults | eval event="40: message.body.v10.timeLocalTransaction: [001]"
| regex event="40: message.body.v10.timeLocalTransaction: \[00.+\]"

View solution in original post

ITWhisperer · ‎03-27-2021

Special characters need to be escaped

| makeresults | eval event="40: message.body.v10.timeLocalTransaction: [00*]"
| regex event="40: message.body.v10.timeLocalTransaction: \[00\*\]"

indeed_2000 · ‎03-28-2021

star is wild card not "*"

e.x

[001]

[000008]

[0032]

ITWhisperer · ‎03-28-2021

| makeresults | eval event="40: message.body.v10.timeLocalTransaction: [001]"
| regex event="40: message.body.v10.timeLocalTransaction: \[00.+\]"

indeed_2000 · ‎03-28-2021

It work but slow!

is it possible to do this faster? I mean tune spl command?

Thanks,

ITWhisperer · ‎03-28-2021

Where is it slow? Analyse the job inspector to see where processing is taking place, then look to see if you can modify the query to improve the performance. Sometimes, large amounts of data take a long time to process!

search brackets and special charachters

regex

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms