- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to filter out a specific phrase in a Splunk se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to filter out a specific phrase in a Splunk search
I'm trying to search for a specific phrase with the search below but I only want result1, not result2. The issue here, I guess, is that parts of the phrase I'm searching for is present in both results (same phrase marked in bold) ->
Search:
index=example host=example message_name=* AND profileId="xxxx-xxxxx-xxxxx" AND "deviceClass":"example" AND "Message received: {"name":"screenView","screenName":"assetcard""
Result1:
MessageReceiver:96 - Message received: {"name":"screenView","screenName":"assetcard","previous":{"name":"screenView","screenName":"homeScreen","subscreenName":"STB.TOP.HOME"
Result2:
MessageReceiver:96 - Message received: {"name":"screenView","screenName":"homeScreen","previous":{"name":"screenView","screenName":"assetcard"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @frodelauka
One way to do it based on the events you shared is as below.
| makeresults
| eval log="MessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"assetcard\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"subscreenName\":\"STB.TOP.HOME\"\r\nMessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"assetcard\""
| makemv log delim="\r\n"
| mvexpand log
| eval check_msg_rxd=trim(replace(replace(mvindex(split(mvindex(split(log,",\"previous"),0),"received:"),-1),"\"",""),"\{",""))
| where like(check_msg_rxd,"%assetcard")
If the reply helps, a Karma upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I appreciate the feedback but as I'm just a Splunk rookie I do not understand the logic behind you query. Also, the makeresults function should be the first in the search so how would the entire search look like?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Simplifying the way to approach it with a regex...
| rex field=_raw "Message received:\s\{(?P<check>.*?)\,\"previous"
| where like(check,"%assetcard%")
The idea is to get values before the word "previous" and check that string with the one you want to meet your search criteria.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand. Still, trying to run the search it returns no result...
index=example host=* message_name=* AND profileId="example" AND "deviceClass":"example" AND "Message received: {"name":"screenView","screenName":"assetcard""
| rex field=_raw "Message received:\s\{(?P<check>.*?)\,\"previous"
| where like(check,"%assetcard%")
Modern way of developing distributed application using OTel
Enterprise Security Content Update (ESCU) | New Releases
Archived Metrics Now Available for APAC and EMEA realms
