I need to search for events that contains specific value generated from a new field name. This is what I'm trying to accomplish:
index=app sourcetype=source
| eval uri_t = "uri:type:subtype:123-5678:DATA_REFERENCE:DATA1:999:123-5678:DATA2:DATA_REFERENCE2:123456"
| eval uri2=replace(uri_t, "\:", "%3A")
| search uri2
Basically, I'm encoding part of a url using replace and eval function into field name uri2, then i need to search specifically in the result of the encoded value. But it seems using search, will search for "uri2" instead of the entire encoded string.
Note, I had to use replace to encode part of the url because it seems there is no encode function in splunk.
Any assistance will be appreciated.
As you've learned, the search command searches entire events. To find text within a field, use one of these commands.
| where match(uri2, "<regex>")
| regex uri2="<regex>"
Both of them will filter out events that do not match the given regular expression.
If you want to find a substring within the field without filtering events, then use the rex command.
| rex field=uri2 "<regex>"
Note that rex must contain a named capture group. The group name will become field into which rex will put the matching text.