Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filter for messages that contains text with quotation marks

raculim
Explorer
‎09-27-2024 12:33 PM

Hi, 

I'm having a hard time trying to narrow down my search results. 

I would like to return only the results that contain the following string on the message: "progress":"COMPLETED","subtopics":"COMPLETED"

The text must be all together, in the sequence above. 

I tried to add a string like the one below in my search but it didn't work:

message="*\"progress\":\"COMPLETED\",\"subtopics\":\"COMPLETED\"*"

Does anyone have suggestions on how to do that? 

I appreciate any help you can provide.

 
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2024 03:39 AM

Hi

one thing what you should do is to check how events are in raw data. Probably the easiest way is check it via "Event Actions -> Show Source".  

isoutamo_0-1727519863159.png

In that way you will see how it really is. After that you know (especially with json) are there any space or other character which you need to take care on your strings.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-28-2024 12:07 AM

Hi @raculim .. @PickleRick 's suggestion works fine, tested (9.3.0)

inventsekar_0-1727507219641.png

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2024 03:39 AM

Hi

one thing what you should do is to check how events are in raw data. Probably the easiest way is check it via "Event Actions -> Show Source".  

isoutamo_0-1727519863159.png

In that way you will see how it really is. After that you know (especially with json) are there any space or other character which you need to take care on your strings.

r. Ismo

Reply
Solved! Jump to solution

raculim
Explorer
‎09-30-2024 04:53 AM

Thanks @isoutamo . 

The raw data contains some backslashes already: 

\"TOPIC_COMPLETION\"

So I had to perform my seach like this:

index="..." "08:29:41.630" AND \\\"TOPIC_COMPLETION\\\"

Now it's working properly. 

Reply
Solved! Jump to solution

raculim
Explorer
‎09-27-2024 02:21 PM

Hi @PickleRick 

First of all, thanks for the reply. 

Let me try to give you a more concrete example:

1. One search example that returns a single result (this works as expected)

raculim_0-1727471674959.png

2. Adding the TOPIC_COMPLETION string to the search (this works as expected)

raculim_1-1727471887747.png

3. Adding the "TOPIC_COMPLETION" string to the search (this doesn't return any results. I was expecting the same results as in 1 and 2)

raculim_2-1727472020374.png

Version 9.2.2406.107

 
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2024 03:23 PM

Try enclosing your search term with quotes.

"\"TOPIC_COMPLETION\""
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2024 12:55 PM

Seems to work for me.

PickleRick_0-1727466910629.png

 

9.3.0

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...