Re: Why would a basic substring search fail?

manus · ‎02-13-2015

These two searches don't return the same thing, and I think they should. The first one returns nothing, the second one returns some events.

Search1:

index=abc toto3

Search2:

index=abc _raw=*toto3*

In other words, clearly I have some events which contain toto3. Search2 proves it, but they are not returned by search1 when I would expect them to be. Does anybody know how this can be possible?

wpreston · ‎02-13-2015

A search like this:

index=abc toto3

does not perform a substring search. It performs a search for a word (technically a segment) that is equal to "toto3", as in toto3 is in my event. To perform a substring search in Splunk, you use the wildcards like your second search or like what @sanjay.shrestha posted:

index=abc *toto3*

This finds toto3 when it is inside a segment but does not make up the complete segment, like toto3isin my event.

So the answer to your question is that the substring search is not failing. index=abc toto3 is not a substring search, but index=abc *toto3* is.

sanjay_shrestha · ‎02-13-2015

Can you try:

index=abc "toto3"

manus · ‎02-13-2015

yes that's returns some events too. Like Search 2 does.

manus · ‎02-13-2015

That doesn't return anything, like search 1.

sanjay_shrestha · ‎02-13-2015

I think toto3 is not a complete word. So you can try

 index=abc "*toto3*"

sanjay_shrestha · ‎02-13-2015

When toto3 was used; splunk looks for single word toto3.

manus · ‎02-13-2015

yes it looks like it does that, indeed, but it's not supposed to that.

Why would a basic substring search fail?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases