Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to search "keyword", but not operate on _raw field of the event?

abour
Explorer
‎07-13-2015 06:17 AM

Is there a way to use something like search "keyword", but not operate on the _raw field of the event, but let's say field1 and field2?

search field="keyword" is not the same as this is an exact match. Likewise, if using wildcards, the delimiter/word matching capability is gone. Is there any way to achieve this seemingly simple thing without needing to circle back to regular expression matching on fields?

I seem to be able to achieve something close via eval _raw=field1.field2 | search "keyword". Is it a bad idea to do this and is there a way to extract the original fields in that case or would they be lost?

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 07:24 AM

You could use both worlds:

index=foo sourcetype=bar field=*keyword* keyword | regex field=".*\bkeyword\b.*"

The basic search gets you as close as it can, and the regex throws out fringe events.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 03:29 PM

The second keyword is just there to speed things up, enabling Splunk to only load good potential matches off disk rather than everything.

0 Karma
Reply

abour
Explorer
‎07-13-2015 08:07 AM

Is that really the same? I think the second keyword instance would match on all fields while the wildcard version only matches field. The resulting set is not the same in all cases I believe.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2015 06:55 AM

Like this?

(field1=* AND field2=*) AND (field1="keyword" OR field2="keyword")

Or maybe this:

(field1=* AND field2=*) AND (field1=*keyword* OR field2=*keyword*)

Perhaps some of what you are experiencing is related to this frustrating situation, intrinsic to Splunk searching optimizations:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...