I am trying to search for a pattern(see below) in the logs using splunk. The String which I am going to search includes double quotes.
Below info log is printed in the logger..
INFO: o.l.k.SomeClass: {"function": "delete", "tenenId":"15897",.......}
And the string i want to search is "function": "delete"
The splunk query I am trying to execute is.,
index="12585" "\"function\": \"delete\""
I am not quite sure if this is going to work. Any suggestions?
There are probably multiple whitespace characters between functionand delete. I suggest you just search for the two phrases separately, rather than together
index="12585" \"function\": \"delete\"
Since your data is in raw format, you can look if the "function" field is automatically extracted by Splunk. If yes, you can simply search for index="index_1" function="delete" else, you can search for index="index_1" "function" "delete" as is, and Splunk will search for function and delete in your raw event.
I was researching for a similar problem where I need to search for exact string match which includes double quotes. It doesn't look like we can directly query with escaped double quote. So we have to use regex.
In your scenario, you could try this query:
index="12585" | regex fieldname=".*\"function\": \"delete\".*"
It will try to run regex match on the fieldname. The regex can be validated in any online regex tester.
I haven't figured out how to query with _raw field. Doing _raw=".*\\\"delete\\\".*" doesn't seem to be returning anything..
