Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine two of the same type of message string and show table data?

anirban_nag
Explorer
‎12-22-2015 12:15 PM

I have one index as foo. In this index there are messages like Bar Baz Hello...., Bar Baz Blah..., Bar Hi.... I want to show the data of the events corresponding with the message which starts with Bar Baz so Bar Hi... will not be shown. I am trying with the following search:

index=foo message="Bar Baz"* | table message _time data

But it is showing nothing. I know I am missing something.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-22-2015 05:58 PM

There's a typo in your search. Wildcats should go inside the double quotes:

index=foo message="Bar Baz*" | table message _time data

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-22-2015 05:58 PM

There's a typo in your search. Wildcats should go inside the double quotes:

index=foo message="Bar Baz*" | table message _time data
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...