Rocket9399
Reputation: 125
Searching for a particular kind of field in Splunk
I'm trying to form a query for searching only specific fields, wherein there are numbers after a specific piece of text. To provide an example, I am currently using the following query:
host="xyz-*" apple "retry *"
I have to find specific entries that have this in their result: "retry 1" or "retry 2" or "retry 3" etc. up to I don't know how many retries.
But the problem that I'm facing is that the above query is also displaying results which have "retry banana", "retry mango", etc. too.
Can someone help me, please?
Thanks
Upvotes: 0
Views: 219
Answers (1)
RichG
Reputation: 9936
The base query can only use wildcards, like you have already. To filter more specifically, use the where command.
host="xyz-*" apple "retry *"
| where match(_raw, "retry \d+")
Upvotes: 2
Related Questions
- Multifields search in Splunk without knowing field names
- splunk query to extract multiple fields from single field
- Splunk search query syntax?
- Splunk conditional search
- Splunk Streamlined search for specific fields only
- Splunk queries: filter by _meta fields
- Adding custom fields to splunk query
- Querying about field with JSON type value
- Splunk match partial result value of field and compare results
- Splunk query to filter results