Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Filter for messages that contains text with quotation marks

raculim
Explorer
‎09-27-2024 12:33 PM

Hi, 

I'm having a hard time trying to narrow down my search results. 

I would like to return only the results that contain the following string on the message: "progress":"COMPLETED","subtopics":"COMPLETED"

The text must be all together, in the sequence above. 

I tried to add a string like the one below in my search but it didn't work:

message="*\"progress\":\"COMPLETED\",\"subtopics\":\"COMPLETED\"*"

Does anyone have suggestions on how to do that? 

I appreciate any help you can provide.

 
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2024 03:39 AM

Hi

one thing what you should do is to check how events are in raw data. Probably the easiest way is check it via "Event Actions -> Show Source".  

isoutamo_0-1727519863159.png

In that way you will see how it really is. After that you know (especially with json) are there any space or other character which you need to take care on your strings.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-28-2024 12:07 AM

Hi @raculim .. @PickleRick 's suggestion works fine, tested (9.3.0)

inventsekar_0-1727507219641.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2024 03:39 AM

Hi

one thing what you should do is to check how events are in raw data. Probably the easiest way is check it via "Event Actions -> Show Source".  

isoutamo_0-1727519863159.png

In that way you will see how it really is. After that you know (especially with json) are there any space or other character which you need to take care on your strings.

r. Ismo

Reply
Solved! Jump to solution

raculim
Explorer
‎09-30-2024 04:53 AM

Thanks @isoutamo . 

The raw data contains some backslashes already: 

\"TOPIC_COMPLETION\"

So I had to perform my seach like this:

index="..." "08:29:41.630" AND \\\"TOPIC_COMPLETION\\\"

Now it's working properly. 

Reply
Solved! Jump to solution

raculim
Explorer
‎09-27-2024 02:21 PM

Hi @PickleRick 

First of all, thanks for the reply. 

Let me try to give you a more concrete example:

1. One search example that returns a single result (this works as expected)

raculim_0-1727471674959.png

2. Adding the TOPIC_COMPLETION string to the search (this works as expected)

raculim_1-1727471887747.png

3. Adding the "TOPIC_COMPLETION" string to the search (this doesn't return any results. I was expecting the same results as in 1 and 2)

raculim_2-1727472020374.png

Version 9.2.2406.107

 
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2024 03:23 PM

Try enclosing your search term with quotes.

"\"TOPIC_COMPLETION\""
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2024 12:55 PM

Seems to work for me.

PickleRick_0-1727466910629.png

 

9.3.0

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...