Splunk Search

search matching big multiline string

722624
Path Finder

Hello All,
I have a multiline very big string exported from excel CSV file to splunk...it worked good i can see all the values in fields
now if I want to search

index = xxxxxx source = yyyyyyyy field = " below given sample field value"

then I am getting NO RESULT
Do I need any special search methods to be used to match exact string ?????

sample field value is below (PLease note this forum is not showing 100% match of my text when I paste here, but it is 90% match )
The ! (exclamation point) before SSLv2 is what disables this protocol.

  • Windows
    Disable SSLv2 protocol support in Microsoft Windows

    Configure the server to require clients to use at least SSLv3 or TLS.

    For Microsoft Windows before Windows 2003, see KB187498 (http://support.microsoft.com/kb/187498) . For newer versions of Microsoft Windows, see KB245030 (http://support.microsoft.com/kb/245030) .

  • Disable insecure TLS/SSL protocol support

    Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers.

Tags (1)
0 Karma

woodcock
Esteemed Legend

The problem is that your field starts with a space, which is a segmenter.

I won't try to explain the nuance but try calling out each word of the match string like this:

index = xxxxxx source = yyyyyyyy below given sample field value field=" below given sample field value" 

Try bookending your search string with asterisks like this:

index = xxxxxx source = yyyyyyyy field="*below given sample field value*" 

or:

index = xxxxxx source = yyyyyyyy below given sample field value field=" below given sample field value" 
0 Karma

722624
Path Finder

Thank you for the reply....Actaully there is no space in the beginning

when I upload the CSV, the values are stored in a field called "Solution"

now I have to make a drilldown down report, where I am writing the query (This is dynamic, first level is a table with all soutions....after clicking a row of the table , the report goes to further level down, with more details about particular solution)...I am able to show the table ....when a row is clicked , I am trying to get the details of that solution writing something like below....

Solution = "The ! (exclamation point) before SSLv2 is what disables this protocol.

Windows
Disable SSLv2 protocol support in Microsoft Windows

Configure the server to require clients to use at least SSLv3 or TLS.
For Microsoft Windows before Windows 2003, see KB187498 (http://support.microsoft.com/kb/187498) . For newer versions of Microsoft Windows, see KB245030 (http://support.microsoft.com/kb/245030) . "

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Yes, field = " blah blah " seems problematic. Wonder if he should be using a field name at all in this case.

0 Karma

722624
Path Finder

Thank you for the reply....Actaully there is no space in the beginning

when I upload the CSV, the values are stored in a field called "Solution"

now I have to make a drilldown down report, where I am writing the query (This is dynamic, first level is a table with all soutions....after clicking a row of the table , the report goes to further level down, with more details about particular solution)...I am able to show the table ....when a row is clicked , I am trying to get the details of that solution writing something like below....

Solution = "The ! (exclamation point) before SSLv2 is what disables this protocol.

Windows
Disable SSLv2 protocol support in Microsoft Windows

Configure the server to require clients to use at least SSLv3 or TLS.
For Microsoft Windows before Windows 2003, see KB187498 (http://support.microsoft.com/kb/187498) . For newer versions of Microsoft Windows, see KB245030 (http://support.microsoft.com/kb/245030) . "

0 Karma

niketn
Legend

@722624... Have you tried escaping special characters in your search string with backslash \?
Also use TERM() for defining exact term for search.

https://docs.splunk.com/Documentation/Splunk/latest/Search/UseCASEandTERMtomatchphrases

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

722624
Path Finder

I tried using TERM but not getting any result

I used like this

TERM(The ! (exclamation point) before SSLv2 is what disables this protocol.

Windows
Disable SSLv2 protocol support in Microsoft Windows

Configure the server to require clients to use at least SSLv3 or TLS.
For Microsoft Windows before Windows 2003, see KB187498 (http://support.microsoft.com/kb/187498) . For newer versions of Microsoft Windows, see KB245030 (http://support.microsoft.com/kb/245030) .)

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...