Solved: How to combine two of the same type of message str...

anirban_nag · ‎12-22-2015

I have one index as foo. In this index there are messages like Bar Baz Hello...., Bar Baz Blah..., Bar Hi.... I want to show the data of the events corresponding with the message which starts with Bar Baz so Bar Hi... will not be shown. I am trying with the following search:

index=foo message="Bar Baz"* | table message _time data

But it is showing nothing. I know I am missing something.

javiergn · ‎12-22-2015

There's a typo in your search. Wildcats should go inside the double quotes:

index=foo message="Bar Baz*" | table message _time data

View solution in original post

javiergn · ‎12-22-2015

There's a typo in your search. Wildcats should go inside the double quotes:

index=foo message="Bar Baz*" | table message _time data

How to combine two of the same type of message string and show table data?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

How to combine two of the same type of message string and show table data?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...