Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to search "keyword", but not operate on _raw field of the event?

abour
Explorer
‎07-13-2015 06:17 AM

Is there a way to use something like search "keyword", but not operate on the _raw field of the event, but let's say field1 and field2?

search field="keyword" is not the same as this is an exact match. Likewise, if using wildcards, the delimiter/word matching capability is gone. Is there any way to achieve this seemingly simple thing without needing to circle back to regular expression matching on fields?

I seem to be able to achieve something close via eval _raw=field1.field2 | search "keyword". Is it a bad idea to do this and is there a way to extract the original fields in that case or would they be lost?

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 07:24 AM

You could use both worlds:

index=foo sourcetype=bar field=*keyword* keyword | regex field=".*\bkeyword\b.*"

The basic search gets you as close as it can, and the regex throws out fringe events.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 03:29 PM

The second keyword is just there to speed things up, enabling Splunk to only load good potential matches off disk rather than everything.

0 Karma
Reply

abour
Explorer
‎07-13-2015 08:07 AM

Is that really the same? I think the second keyword instance would match on all fields while the wildcard version only matches field. The resulting set is not the same in all cases I believe.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2015 06:55 AM

Like this?

(field1=* AND field2=*) AND (field1="keyword" OR field2="keyword")

Or maybe this:

(field1=* AND field2=*) AND (field1=*keyword* OR field2=*keyword*)

Perhaps some of what you are experiencing is related to this frustrating situation, intrinsic to Splunk searching optimizations:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...