Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- search matching big multiline string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search matching big multiline string
Hello All,
I have a multiline very big string exported from excel CSV file to splunk...it worked good i can see all the values in fields
now if I want to search
index = xxxxxx source = yyyyyyyy field = " below given sample field value"
then I am getting NO RESULT
Do I need any special search methods to be used to match exact string ?????
sample field value is below (PLease note this forum is not showing 100% match of my text when I paste here, but it is 90% match )
The ! (exclamation point) before SSLv2 is what disables this protocol.
Windows
Disable SSLv2 protocol support in Microsoft WindowsConfigure the server to require clients to use at least SSLv3 or TLS.
For Microsoft Windows before Windows 2003, see KB187498 (http://support.microsoft.com/kb/187498) . For newer versions of Microsoft Windows, see KB245030 (http://support.microsoft.com/kb/245030) .
Disable insecure TLS/SSL protocol support
Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that your field starts with a space, which is a segmenter.
I won't try to explain the nuance but try calling out each word of the match string like this:
index = xxxxxx source = yyyyyyyy below given sample field value field=" below given sample field value"
Try bookending your search string with asterisks like this:
index = xxxxxx source = yyyyyyyy field="*below given sample field value*"
or:
index = xxxxxx source = yyyyyyyy below given sample field value field=" below given sample field value"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply....Actaully there is no space in the beginning
when I upload the CSV, the values are stored in a field called "Solution"
now I have to make a drilldown down report, where I am writing the query (This is dynamic, first level is a table with all soutions....after clicking a row of the table , the report goes to further level down, with more details about particular solution)...I am able to show the table ....when a row is clicked , I am trying to get the details of that solution writing something like below....
Solution = "The ! (exclamation point) before SSLv2 is what disables this protocol.
Windows
Disable SSLv2 protocol support in Microsoft Windows
Configure the server to require clients to use at least SSLv3 or TLS.
For Microsoft Windows before Windows 2003, see KB187498 (http://support.microsoft.com/kb/187498) . For newer versions of Microsoft Windows, see KB245030 (http://support.microsoft.com/kb/245030) . "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, field = " blah blah " seems problematic. Wonder if he should be using a field name at all in this case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply....Actaully there is no space in the beginning
when I upload the CSV, the values are stored in a field called "Solution"
now I have to make a drilldown down report, where I am writing the query (This is dynamic, first level is a table with all soutions....after clicking a row of the table , the report goes to further level down, with more details about particular solution)...I am able to show the table ....when a row is clicked , I am trying to get the details of that solution writing something like below....
Solution = "The ! (exclamation point) before SSLv2 is what disables this protocol.
Windows
Disable SSLv2 protocol support in Microsoft Windows
Configure the server to require clients to use at least SSLv3 or TLS.
For Microsoft Windows before Windows 2003, see KB187498 (http://support.microsoft.com/kb/187498) . For newer versions of Microsoft Windows, see KB245030 (http://support.microsoft.com/kb/245030) . "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@722624... Have you tried escaping special characters in your search string with backslash \?
Also use TERM() for defining exact term for search.
https://docs.splunk.com/Documentation/Splunk/latest/Search/UseCASEandTERMtomatchphrases
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried using TERM but not getting any result
I used like this
TERM(The ! (exclamation point) before SSLv2 is what disables this protocol.
Windows
Disable SSLv2 protocol support in Microsoft Windows
Configure the server to require clients to use at least SSLv3 or TLS.
For Microsoft Windows before Windows 2003, see KB187498 (http://support.microsoft.com/kb/187498) . For newer versions of Microsoft Windows, see KB245030 (http://support.microsoft.com/kb/245030) .)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
