Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for specific text in field without additional text?

joesrepsol
Path Finder
‎09-26-2018 11:29 AM

Sorry for the strange title... couldn't think of anything better. Doing a search on a command field in Splunk with values like:
sudo su - somename
sudo su - another_name
sudo su -

And I'm only looking for the records "sudo su -". I don't want the records that match those characters and more... just records that ONLY contain "sudo su -". When I write the search Command="sudo su -" I still get the other records too. Struggling to figure this out.

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-26-2018 09:38 PM

There are lots of ways to make this happen.

You could use a sed mode rex to eliminate the part you don't care about, and if anything is left, keep the record...

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| eval testfield=Command
| rex mode=sed field=testfield "s/sudo\s+su\s+-//"
| where testfield!=""

You could use a regular expression that will only match if there are non-whitespace characters after the -

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| regex Command="\s*sudo\s+su\s+-[ \t]*\w"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-26-2018 09:38 PM

There are lots of ways to make this happen.

You could use a sed mode rex to eliminate the part you don't care about, and if anything is left, keep the record...

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| eval testfield=Command
| rex mode=sed field=testfield "s/sudo\s+su\s+-//"
| where testfield!=""

You could use a regular expression that will only match if there are non-whitespace characters after the -

your search that gets all the "sudo su -"  (and remember there may be extra spaces...)
| regex Command="\s*sudo\s+su\s+-[ \t]*\w"
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-26-2018 11:42 AM

@joesrepsol

have you tried search command?

try this:

| makeresults | eval _raw=" Command
sudo su - somename
sudo su - another_name
sudo su -
" | multikv | search Command="sudo su -"
0 Karma
Reply
Solved! Jump to solution

joesrepsol
Path Finder
‎09-27-2018 08:34 AM

THANK YOU.

This seems to have worked! I'm a little confused why adding Command="sudo su -" in the normal search seemingly applies an asterisks to the value, but when adding it with the |search Command="sudo su -" doesnt?

Regardless its working, and thank you.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-27-2018 08:45 AM

Great.

Can you please accept the answer and upvote it to help the community?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...