Solved: How can I run a search if a field contains the "|"...

hsu88888 · ‎09-20-2017

Hello,

I need to count the event log line contains AAA|Y|42 but "|" is the pipeline command so that I got error as the following search:
I tried to use " double quote at two sides of the string but no return result.

index=transaction sourcetype=transaction_270 *AAA|Y|42*
| chart count by region_id, partner_id

Splunk will treat Y is the command and got this error:
Search Factory: Unknown search command 'y'.

Please help me with solution.

Thank you very much.

hsu88888 · ‎09-26-2017

No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R

View solution in original post

hsu88888 · ‎09-26-2017

No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R

lfedak_splunk · ‎09-21-2017

Hey @hsu88888, if DalJeanis and Somesoni2 solved your problem, please don't forget to accept the answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

hsu88888 · ‎09-21-2017

No results found. I already said that in my question

somesoni2 · ‎09-20-2017

Just enclose *AAA|Y|42* in double quotes. It'll be then treated as string.

index=transaction sourcetype=transaction_270 "*AAA|Y|42*"
 | chart count by region_id, partner_id

DalJeanis · ‎09-20-2017

This answer is correct and specific for that spot in a search, or for after the command | search. If it's inside a mapped search or a regex, use the rules for wherever it is (usually escape with \).

hsu88888 · ‎09-26-2017

No, double quote won't find any event.
This is the right solution that I use and work:
*AAA*Y*42*R

How can I run a search if a field contains the "|" character?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!