Hello
index="cs_test" "Splunktest" "Refund succeeded" OR *"action"=>"refund"*
I have a below raw text log, I want to return events that contain either "Refund succeeded" OR "action"=>"refund", the problem is logs that contain only " => " or "refund" are also being returned. How do I just return results that contain exact string of "Refund succeeded" OR "action"=>"refund"?
Example raw text
"status"=>"pending", "action"=>"refund", "convert_to_cash_url"=>nil}], "v2_return_service_enabled"=>true, "inventory_service_id"=>"voucher", "order_reversal_url"=>"/order_reversal/refund", "is_expiration_extendable"=>false, "can_partial_refund"=>false, "tradable"=>"ineligible", "merchant_payment_text"=>"Continuous",
Thanks
Try below search,
index="cs_test" "Refund succeeded" OR "\"action\"=>\"refund\""
@Danielle2018V
Seems like you are just working with the raw logs, are fields not being extracted ? If not, you can do something like this :
index="cs_test" "Splunktest" | rex field=_raw "action"\S{3}(?<action>[^"]*) | search "Refund succeeded" OR action=refund
I create the field action ,for future references, in case you want to see other actions .
If you can show me a log sample where the value "Refund succeeded" is present we can create another field , your search will be much more accurate
Try below search,
index="cs_test" "Refund succeeded" OR "\"action\"=>\"refund\""