Solved: Search by Field's Value

edschembor · ‎06-25-2014

So I have a search where I need to further search by the value of the field.

ie)
| eval EPHID = "EPH1406180001103"
| search EPHID

Searches for logs with "EPHID" and not "EPH1406180001103". Is there some way to search for the field's value and not the field?

Thanks!

aweitzman · ‎06-25-2014

Try the following:

| eval EPHID = "EPH1406180001103" | where like(_raw,"%".EPHID."%")

View solution in original post

edschembor · ‎06-25-2014

Let me give some more information:

I have a statement "eval entity="" " which is eventually set to some value which will only be a single value. Now, I need to further search the logs for this single value. Is there a way so that I search what entity equals as opposed to just its name?

davby · ‎06-25-2014

Use a subsearch. Using your example as a starting point:

[| gentimes start=-1 | eval EPHID="EPH1406180001103" | rename EPHID as query | fields query ]

Presumably your search is more complex than your example. If you have a search that results in EPHID having one or more values, then the gentimes stanza will not be needed; replace gentimes and eval with that search instead. For example:

[search user="john.doe" | rename host as query | fields query]

will search for events with user "john.doe", get the host field from these, then search for that value in everything.

edschembor · ‎06-26-2014

Having trouble understanding this. Do I need the user="john.doe" part? Why does this need to be done as a subsearch?

aweitzman · ‎06-25-2014

Try the following:

| eval EPHID = "EPH1406180001103" | where like(_raw,"%".EPHID."%")

Search by Field's Value

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms