Splunk Search

Search for fields that match a value versus fields that contain a value

nrohbock
Explorer

I'm going to go mad trying to get splunk to return only field values that are a given value and don't start or contain the value I give. Here's my example:

index=myindex host=a_server | where match(eventtype, "^dataflow(^-|$)")
index=myindex host=a_server | where match(eventtype, "^dataflow$")
index=myindex host=a_server | where eventtype="dataflow")
index=myindex host=a_server eventtype=dataflow
index=myindex host=a_server eventtype=TERM(dataflow)

All five searches return items like:

dataflow-end
dataflow-start
dataflow-cache
...
etc.

I ONLY want events with eventtype of dataflow. Any guidance on how to have a less greedy search would be great!

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

This search will do it:

index=myindex host=a_server eventtype=dataflow

Now, the caveat is that that particular field is a multi-valued filed so it can have more than a single value and it will return searches that also have other eventtype values. If this is a problem, then you need to add this to the end, too:

| eventstats dc(eventtype) AS DCeventtype
| search DCeventtype=1

View solution in original post

woodcock
Esteemed Legend

This search will do it:

index=myindex host=a_server eventtype=dataflow

Now, the caveat is that that particular field is a multi-valued filed so it can have more than a single value and it will return searches that also have other eventtype values. If this is a problem, then you need to add this to the end, too:

| eventstats dc(eventtype) AS DCeventtype
| search DCeventtype=1

nrohbock
Explorer

So, I like your idea. My challenge is that the distinct count of eventtype in the eventstats line returns the count for all events not each event. I'm sure this could be fixed with the appropriate by statement... but I don't know how to make a by statement that is unique to each event.

It looks like using:
| eval dc_etype=mvcount(eventtype)
accomplished what the eventstats command was intended to do.

Thank you!

woodcock
Esteemed Legend

Yes, your way is definitely the right way and mine will not work at all and I should have realized that. Great job!
That's what I get for posting untested answers from my phone!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...