Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I deal with logs containing asterisks?

hacktastic
Path Finder
‎11-11-2010 06:57 PM

I'm trying to deal with a report that contain an asterisk to denote a "true/false" condition. My goal is to use transaction to roll into events starting with "Task:" and returning only the lines containing the asterisk. (Raw log example below.) Escaping the asterisk out doesn't work. Punct doesn't work consistently. (Bug in 4.0.x?)

If I search: punct="::.[]_--_t#:tt--::.-t*", I get all lines containing the asterisks. However, if use this search after a transaction declaration, Splunk appears to ignore it.

I tried the following query:

"Task:" OR punct="::.[]_--_t#:tt--::.-t*" | transaction fields=host,uniqueLogID startswith="Task:" | search punct="::.[]_--_t#:tt--::.-t*"

I expected it to return:

TransactionA:

Nov11 00:00:13.485 [948] REPL-I-0001 Task: CustomerName/LocationNameA/ComputerNameA/TaskNameA(UniqueNumberA)
Nov11 00:00:13.485 [948] REPL-I-0001    SS#: 1       6-NOV-2010 01:30:20.30 -0500   *
Nov11 00:00:13.486 [948] REPL-I-0001    SS#: 2       7-NOV-2010 02:30:02.07 -0500   *

TransactionB:

Nov11 00:00:13.489 [948] REPL-I-0001 Task: CustomerName/LocationnameB/ComputerNameB/TaskNameB(UniqueNumberB)   
Nov11 00:00:13.491 [948] REPL-I-0001    SS#: 1       3-NOV-2010 21:00:25.68 -0500   *

Rather, it's returning all transactions, ignoring the secondary search after the pipe. I'm assuming it's because Splunk isn't properly handling the asterisk. How do I get around this?

Raw log: 

Nov11 00:00:13.485 [948] REPL-I-0001 Task: CustomerName/LocationNameA/ComputerNameA/TaskNameA(UniqueNumberA)
Nov11 00:00:13.485 [948] REPL-I-0001    SS#: 1       6-NOV-2010 01:30:20.30 -0500   *
Nov11 00:00:13.486 [948] REPL-I-0001    SS#: 2       7-NOV-2010 02:30:02.07 -0500   *
Nov11 00:00:13.486 [948] REPL-I-0001    SS#: 3       8-NOV-2010 02:30:22.65 -0500    
Nov11 00:00:13.487 [948] REPL-I-0001    SS#: 4       9-NOV-2010 02:30:28.97 -0500    
Nov11 00:00:13.487 [948] REPL-I-0001    SS#: 5      10-NOV-2010 02:30:06.95 -0500   
Nov11 00:00:13.489 [948] REPL-I-0001 Task: CustomerName/LocationnameB/ComputerNameB/TaskNameB(UniqueNumberB)   
Nov11 00:00:13.491 [948] REPL-I-0001    SS#: 1       3-NOV-2010 21:00:25.68 -0500   *
Nov11 00:00:13.491 [948] REPL-I-0001    SS#: 2       4-NOV-2010 21:00:27.70 -0500   
Nov11 00:00:13.492 [948] REPL-I-0001    SS#: 3       5-NOV-2010 21:00:22.38 -0500   
Nov11 00:00:13.489 [948] REPL-I-0001 Task: CustomerName/LocationnameC/ComputerNameC/TaskNameC(UniqueNumberC)   
Nov11 00:00:13.491 [948] REPL-I-0001    SS#: 2       4-NOV-2010 21:00:27.70 -0500   
Nov11 00:00:13.492 [948] REPL-I-0001    SS#: 3       5-NOV-2010 21:00:22.38 -0500
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

hacktastic
Path Finder
‎01-19-2011 10:52 PM

Actually, it's not too bad. You can do it inline at search time or put it in props.conf:

| rex mode=sed "s/[*]/NR/g"

Much ado about nothing, I guess...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hacktastic
Path Finder
‎01-19-2011 10:52 PM

Actually, it's not too bad. You can do it inline at search time or put it in props.conf:

| rex mode=sed "s/[*]/NR/g"

Much ado about nothing, I guess...

0 Karma
Reply
Solved! Jump to solution

hacktastic
Path Finder
‎03-04-2011 05:40 PM

As a followup, I'm still using my first solution and it's working great.

0 Karma
Reply
Solved! Jump to solution

hacktastic
Path Finder
‎01-26-2011 05:55 PM

The issue is the inability to search for "*". Is that a bug in "search" and not "where?" I'll try it, regardless. Thanks!

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-20-2011 01:53 AM

You can also filter using the where command, rather than the search command. They have slightly different syntax and capabilities. So rather than using rex to modify the data, just use where like(punct,...) or where match(punct,...)

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎11-11-2010 07:06 PM

Hi, according to known issues, there is no way to escape an asterisk in the search language.

Applying an index-time transform to replace the * with something else,e.g. #, would let you achieve your results. This would also modify the indexed logs, though, and there would be no way back after the events have been indexed.

Paolo

Reply
Solved! Jump to solution

hacktastic
Path Finder
‎11-11-2010 07:29 PM

That's what I thought. I don't have an issue with doing a transform.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...