Hello,
I need to count the event log line contains AAA|Y|42 but "|" is the pipeline command so that I got error as the following search:
I tried to use " double quote at two sides of the string but no return result.
index=transaction sourcetype=transaction_270 *AAA|Y|42*
| chart count by region_id, partner_id
Splunk will treat Y is the command and got this error:
Search Factory: Unknown search command 'y'.
Please help me with solution.
Thank you very much.
No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R
No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R
Hey @hsu88888, if DalJeanis and Somesoni2 solved your problem, please don't forget to accept the answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!
No results found. I already said that in my question
Just enclose *AAA|Y|42*
in double quotes. It'll be then treated as string.
index=transaction sourcetype=transaction_270 "*AAA|Y|42*"
| chart count by region_id, partner_id
This answer is correct and specific for that spot in a search, or for after the command | search
. If it's inside a mapped search or a regex, use the rules for wherever it is (usually escape with \
).
No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R