Splunk Search

How do you search for a specific word when you don't know what the field is?

brewster88
New Member

Heya Guys,

I'm very new to Splunk and this is likely an obvious answer or I have skimmed across documentation and missed it.

So at the moment, we are ingesting logs from Google cloud, and I am interested in finding specific words such as 'error', 'fail', etc. However, I do not know the specific field name where this might appear.

Is there a search I could run as a sort of catch all that could pick up on this within our environment?

Something like the below?

index="gcp_logs" (message contains 'error' OR 'fail*') 

Any help would be appreciated.

Tom

Tags (3)
0 Karma
1 Solution

FrankVl
Ultra Champion

Assuming those words occur in the raw event, just enter those words as search terms: index="gcp_logs" ("error" OR "fail*")

Have you gone through the Fundamentals 1 training course yet? If not: I can really recommend it. It's a great introduction into the concepts of Splunk and the basic workings of the search language 🙂

View solution in original post

0 Karma

brewster88
New Member

Really useful guys, this was exactly what I was after!

Will be starting the Splunk Fundamentals shortly as well 🙂

Kind Regards,

Tom

0 Karma

dkeck
Influencer

HI,

just simple search for the word

index="gcp_logs" error

BUT keep in mind there will be an AND between a error and another word you want to search.

So if you search for error fail, add a OR if you want events with both. so error OR fail

0 Karma

FrankVl
Ultra Champion

Assuming those words occur in the raw event, just enter those words as search terms: index="gcp_logs" ("error" OR "fail*")

Have you gone through the Fundamentals 1 training course yet? If not: I can really recommend it. It's a great introduction into the concepts of Splunk and the basic workings of the search language 🙂

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...