Splunk Search

How to generate a search for an exact word pattern?

danielcmarcosjr
Explorer

Hi All,

I want to search a word in Splunk in a certain field for example "foo" and will return the following:

foo bar
only foo bar
only foo

and will not return:

foos
xfoo

Tags (1)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try (run anywhere search, replace everything before the where clause with your search, also replace the field1 with your field name)

| gentimes start=-1 | eval field1="foo bar#only foo bar#only foo#not foos#foox no#don't fool me" | table field1 | makemv field1 delim="#" | mvexpand field1 
| where match(field1,"(\s|^)foo(\s|$)")

View solution in original post

ddrillic
Ultra Champion

A good discussion about Splunk Search For Exact Word

@lguinn says -

alt text

0 Karma

inventsekar
Ultra Champion

Maybe, regex will help.

Your base search | regex "(\s|^)foo(\s|$)" 
Or
Your base search | regex "\bfoo\b"

danielcmarcosjr
Explorer

Thanks a lot! 🙂 🙂 🙂

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try (run anywhere search, replace everything before the where clause with your search, also replace the field1 with your field name)

| gentimes start=-1 | eval field1="foo bar#only foo bar#only foo#not foos#foox no#don't fool me" | table field1 | makemv field1 delim="#" | mvexpand field1 
| where match(field1,"(\s|^)foo(\s|$)")

danielcmarcosjr
Explorer

Hello,

Thank you for your reply however are there any syntax that I can use instead of hardcoding the "foo bar" ....
because the value is from text box.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The value of textbox should be assigned to a token, just replace the foo in match function with that token, like this

your base search  | where match(field1,"(\s|^)$yourtextboxToken$(\s|$)")
0 Karma

danielcmarcosjr
Explorer

hmm. but I believe it will not return result "only foo" because there are no spaces after foo.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Have you tested it? (I provided a runanywhere query with sample data).

0 Karma

ddrillic
Ultra Champion

@somesoni2 - isn't there an exact phrase syntax such as "only foo"? you would expect it from a search engine...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

@Ddrillic, not sure I understood your question?

0 Karma

danielcmarcosjr
Explorer

Hi,

What if it should be case insensitive?

0 Karma

DMohn
Motivator

Add a (?i) at the start of the regex:

your base search  | where match(field1,"(?i)(\s|^)$yourtextboxToken1$(\s|$)") OR match(field1,"(?i)(\s|^)$yourtextboxToken2$(\s|$)") OR ....
0 Karma

danielcmarcosjr
Explorer

Thanks a lot! 🙂 🙂 🙂

0 Karma

danielcmarcosjr
Explorer

ow yes. it works. What if I have many textboxtoken that are in OR logical operator?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Then you'll create match-expression for each of the token.

your base search  | where match(field1,"(\s|^)$yourtextboxToken1$(\s|$)") OR match(field1,"(\s|^)$yourtextboxToken2$(\s|$)") OR ....
0 Karma

gokadroid
Motivator

Did you try *foo*, as that shall return foos and xfoo in events.

Updating as per comment, to search exactly "foo", try (foo) as a search term including the round brackets

0 Karma

danielcmarcosjr
Explorer

Hi,

Thanks for your reply but it should not display that way.
It should be:

foo bar
only foo bar
only foo

0 Karma

gokadroid
Motivator

that should be easy, try (foo) in search term so that it only searches whole word "foo", nothing more or less.

0 Karma

danielcmarcosjr
Explorer

Hi,

I need to search in specific field.
like this
I believe it will return an error
field1=(foo)

0 Karma

gokadroid
Motivator

Try regex to your rescue

your search to return field1
| regex field1=".*\sfoo\s.*"
| complete your search
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...