am new at Splunk; I have a query like:
org_name="Something" app_name=MY_APP status_code=401 requesturl=/api/hi
and return results like:
app_name: MY_APP
org_name: something
space_name: space
job: router
message_type: OUT
msg: my.domain.com - [2021-03-08T15:49:54.049006875Z] "POST /api/hiHTTP/1.1" 401 347 147 "-" "insomnia/7.0.3" "10.158.192.20:46006" "10.158.192.158:61002" x_forwarded_for:"208.127.201.110, 2.20.143.172, 10.158.192.20" x_forwarded_proto:"https" vcap_request_id:"539a9655-3198-4604-775c-306a750ca7e5" response_time:0.008447 gorouter_time:0.000489 app_id:"9ecffb96-0b8b-4a7a-be74-484ed6b6f589" app_index:"4" x_cf_routererror:"-" x_mc_correlation_id:"0.ac8f1402.1615218593.dafa73c" x_correlation_id:"-" correlation_id:"0.ac8f1402.1615218593.dafa73c" x_b3_traceid:"0ca5ab5513f3cb99" x_b3_spanid:"0ca5ab5513f3cb99" x_b3_parentspanid:"-" b3:"0ca5ab5513f3cb99-0ca5ab5513f3cb99"
origin: gorouter
source_instance: 7
source_type: RTR
timestamp: 1615218594057716500
I need to search for all the entries with
correlation_id:"0.ac8f1402.1615218593.dafa73c"
Key could be correlation_id, XC_correlation_id, MC-REAL_correlation_id and others...
There are a few ways to do that and the one to use depends on how specific you can get with field and key names. Try one of these commands:
| searchmatch("\s.*correlation_id:\"0.ac8f1402.1615218593.dafa73c\"")
| where match(msg, "\s.*correlation_id:\"0.ac8f1402.1615218593.dafa73c\"")
| regex "\s.*correlation_id:\"0.ac8f1402.1615218593.dafa73c\"")
| regex field=msg "\s.*correlation_id:\"0.ac8f1402.1615218593.dafa73c\"")