Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to tell splunk to stop searching after a text is found

cafissimo
Communicator
‎08-02-2010 08:09 AM

Hello, I have a log file with a very long record (about 255 chars) and I would like to know if and how is it possible to tell splunk to stopo searching for some text after first occurrence of the text for every record. For example, if I have a record "ABC-DEF-GHIJKABCFJEI-DEF-IJEFIJ..." I wanto splunk to stop searching after the first DEF occurence for that record and passes to the next record, so that performances are much better. Thanks in advance and kind regards.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-02-2010 02:06 PM

There is no need to do this. Splunk indexed searches do not work that way. It doesn't matter how many or where "DEF" occurs in an event. If you search for "DEF" it will not be any faster. Also, 255 characters should not be considered "long".

If you are using a regex for field extractions (or in the rex command), then it does work by scanning the text of the event as you think, but in that case (depending how you write the regex) it will stop without scanning the whole string, although again, a 255-character string isn't very large.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-02-2010 02:06 PM

There is no need to do this. Splunk indexed searches do not work that way. It doesn't matter how many or where "DEF" occurs in an event. If you search for "DEF" it will not be any faster. Also, 255 characters should not be considered "long".

If you are using a regex for field extractions (or in the rex command), then it does work by scanning the text of the event as you think, but in that case (depending how you write the regex) it will stop without scanning the whole string, although again, a 255-character string isn't very large.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...