Splunk Search

TERM command

splunkuser2012
Engager

I want to search the whole term like shown below, why is it not working ?
Do i need to remove the "<" and "//" ?

What other command can i use ?

TERM
(

XmlTransformHelper:Original Request:

)

Tags (1)

scotmatson
Explorer

Correct. Angled brackets will not work within a TERM. On the other hand a slash will.

https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/UseCASEandTERMtomatchphrases
The TERM directive only works for terms that are bounded by major or minor breakers. The term you are searching for cannot contain major breakers. For example, you cannot search for Maria Dubois with TERM because there is a space between the names. This is illustrated in the examples below.

MAJOR =
* Set major breakers.
* Major breakers are words, phrases or terms in your data that are surrounded
by set breaking characters.
* By default, major breakers are set to most characters and blank spaces.
* Typically, major breakers are single characters.
* Please note: \s represents a space; \n, a newline; \r, a carriage return; and
\t, a tab.
* Default is [ ] < > ( ) { } | ! ; , ' " * \n \r \s \t & ? + %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29

https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Segmentersconf
MINOR =
* Set minor breakers.
* In addition to the segments specified by the major breakers, for each minor
breaker found, Splunk indexes the token from the last major breaker to the
current minor breaker and from the last minor breaker to the current minor
breaker.
* Default is / : = @ . - $ % \ _

_d_
Splunk Employee
Splunk Employee

Using the TERM() operator is not appropriate here because what you're searching for contains both minor and major segmenters and therefore does not get indexed as an entire contiguous string. What you need is (as alluded above) to wrap the whole string in quotes:

index=my_index sourcetype=my_sourcetype "XmlTransformHelper:Original Request:<soap-env:envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">"

d.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Angle brackets and slashes should not be a problem. You can confirm this by searching for TERM(*<*) or TERM(*/*), both should return plenty of results. However, quotation marks may yield problems. Compare TERM(*"*) with TERM(*\"*), you should see an error in the non-escaped case and plenty of results in the escaped one.

Have you tried enclosing the string in quotes without the TERM(), and escaping the quotes contained in the string?

0 Karma

scotmatson
Explorer

The TERM directive only works for terms that are bounded by major or minor breakers. The term you are searching for cannot contain major breakers. For example, you cannot search for Maria Dubois with TERM because there is a space between the names. This is illustrated in the examples below.

MAJOR =
* Set major breakers.
* Major breakers are words, phrases or terms in your data that are surrounded
by set breaking characters.
* By default, major breakers are set to most characters and blank spaces.
* Typically, major breakers are single characters.
* Please note: \s represents a space; \n, a newline; \r, a carriage return; and
\t, a tab.
* Default is [ ] < > ( ) { } | ! ; , ' " * \n \r \s \t & ? + %21 %26 %2526 %3B %7C %20 %2B %3D -- %2520 %5D %5B %3A %0A %2C %28 %29

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...