Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter out a specific phrase in a Splunk search

frodelauka
Observer
‎03-20-2024 05:32 AM

I'm trying to search for a specific phrase with the search below but I only want result1, not result2. The issue here, I guess, is that parts of the phrase I'm searching for is present in both results (same phrase marked in bold) ->

Search:

index=example host=example message_name=* AND profileId="xxxx-xxxxx-xxxxx" AND "deviceClass":"example" AND "Message received: {"name":"screenView","screenName":"assetcard""

Result1:

MessageReceiver:96 - Message received: {"name":"screenView","screenName":"assetcard","previous":{"name":"screenView","screenName":"homeScreen","subscreenName":"STB.TOP.HOME"

Result2:

MessageReceiver:96 - Message received: {"name":"screenView","screenName":"homeScreen","previous":{"name":"screenView","screenName":"assetcard"

Labels (1)
Labels
0 Karma
Reply

Gr0und_Z3r0
Contributor
‎03-20-2024 06:02 AM

Hi @frodelauka 

One way to do it based on the events you shared is as below.

| makeresults 
| eval log="MessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"assetcard\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"subscreenName\":\"STB.TOP.HOME\"\r\nMessageReceiver:96 - Message received: {\"name\":\"screenView\",\"screenName\":\"homeScreen\",\"previous\":{\"name\":\"screenView\",\"screenName\":\"assetcard\"" 
| makemv log delim="\r\n" 
| mvexpand log 
| eval check_msg_rxd=trim(replace(replace(mvindex(split(mvindex(split(log,",\"previous"),0),"received:"),-1),"\"",""),"\{",""))
|  where like(check_msg_rxd,"%assetcard")

 

If the reply helps, a Karma upvote would be appreciated.

0 Karma
Reply

frodelauka
Observer
‎03-20-2024 06:27 AM

I appreciate the feedback but as I'm just a Splunk rookie I do not understand the logic behind you query. Also, the makeresults function should be the first in the search so how would the entire search look like?

0 Karma
Reply

Gr0und_Z3r0
Contributor
‎03-20-2024 06:34 AM

Simplifying the way to approach it with a regex...

| rex field=_raw "Message received:\s\{(?P<check>.*?)\,\"previous"
| where like(check,"%assetcard%")



The idea is to get values before the word "previous" and check that string with the one you want to meet your search criteria.

0 Karma
Reply

frodelauka
Observer
‎03-20-2024 06:59 AM

I understand. Still, trying to run the search it returns no result...

index=example host=* message_name=* AND profileId="example" AND "deviceClass":"example" AND "Message received: {"name":"screenView","screenName":"assetcard""
| rex field=_raw "Message received:\s\{(?P<check>.*?)\,\"previous"
| where like(check,"%assetcard%")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...