I am trying to search for a pattern(see below) in the logs using splunk. The String which I am going to search includes double quotes.
Below info log is printed in the logger..
INFO: o.l.k.SomeClass: {"function": "delete", "tenenId":"15897",.......}
And the string i want to search is "function": "delete"
The splunk query I am trying to execute is.,
index="12585" "\"function\": \"delete\""
I am not quite sure if this is going to work. Any suggestions?
There are probably multiple whitespace characters between function
and delete
. I suggest you just search for the two phrases separately, rather than together
index="12585" \"function\": \"delete\"
Since your data is in raw format, you can look if the "function" field is automatically extracted by Splunk. If yes, you can simply search for index="index_1" function="delete"
else, you can search for index="index_1" "function" "delete"
as is, and Splunk will search for function and delete in your raw event.
I was researching for a similar problem where I need to search for exact string match which includes double quotes. It doesn't look like we can directly query with escaped double quote. So we have to use regex
.
In your scenario, you could try this query:
index="12585" | regex fieldname=".*\"function\": \"delete\".*"
It will try to run regex match on the fieldname. The regex can be validated in any online regex tester. I haven't figured out how to query with _raw field. Doing _raw=".*\\\"delete\\\".*"
doesn't seem to be returning anything..
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.