Hi,
i want to search for this string in splunk index.
but i keep getting wrong results. i guess it has to do with **. how can i overcome this?
Thanks,
Snabel
Use this
error
| regex _raw="\*\*\sERROR\s\=\>"
The first line searches for any event that has "error" in it, providing a first approximation to what you want. The second line uses a regular expression to find exactly the string "** ERROR =>". Note that '\s' denotes whitespace. If there are no spaces in the string, remove the \s
HTH
If you're looking for "** ERROR =>" OR "** ERROR"
then you're really just looking for "** ERROR"
because that already matches the one with the ASCII arrow. Here's a modified version of lguinn's search which matches both examples for me:
ERROR | regex _raw="\*\*\sERROR\s"
Because, i think the logs will contain the following log prints:
| ** ERROR => SOMETHING **| or | ** ERROR **|
i thought to search for any string that looks like this:
** ERROR => or ** ERROR
maybe there is a better way to look for these patterns, I'm really open to any suggestions.
Thanks,
Snabel
why don't you only search "ERROR =>" ? what is the significance of the **
?
Thanks all, but still not working
here is the log prints i've in NR9 nss.log:
| ** ERROR => SOMETHING **|
That's what i'm trying to search.
Thanks,
Snabel
Hi,
it didn't work.
i wrote this in the search bar: index=* ** ERROR=>*
and i got the following results:
SWI_JS_SCRIPT_ERROR
Error
error
** ERROR =>
while i only wanted this:
** ERROR =>
is there a way to escape special characters in splunk search bar? in version 5.0.1
Thanks,
Snabel
did u tried searching like this :
index=* **ERROR=>*
i'm working with splunk version 5.0.1