Is it possible to search "keyword", but not operat...

abour · ‎07-13-2015

Is there a way to use something like search "keyword", but not operate on the _raw field of the event, but let's say field1 and field2?

search field="keyword" is not the same as this is an exact match. Likewise, if using wildcards, the delimiter/word matching capability is gone. Is there any way to achieve this seemingly simple thing without needing to circle back to regular expression matching on fields?

I seem to be able to achieve something close via eval _raw=field1.field2 | search "keyword". Is it a bad idea to do this and is there a way to extract the original fields in that case or would they be lost?

martin_mueller · ‎07-13-2015

You could use both worlds:

index=foo sourcetype=bar field=*keyword* keyword | regex field=".*\bkeyword\b.*"

The basic search gets you as close as it can, and the regex throws out fringe events.

martin_mueller · ‎07-13-2015

The second keyword is just there to speed things up, enabling Splunk to only load good potential matches off disk rather than everything.

abour · ‎07-13-2015

Is that really the same? I think the second keyword instance would match on all fields while the wildcard version only matches field. The resulting set is not the same in all cases I believe.

woodcock · ‎07-13-2015

Like this?

(field1=* AND field2=*) AND (field1="keyword" OR field2="keyword")

Or maybe this:

(field1=* AND field2=*) AND (field1=*keyword* OR field2=*keyword*)

Perhaps some of what you are experiencing is related to this frustrating situation, intrinsic to Splunk searching optimizations:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

Is it possible to search "keyword", but not operate on _raw field of the event?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!