• Support
  • Forums
  • Blogs

Substring searches in Raw Logs

hib0x13hib0x13

New Life Form
+1
Is it just me or can you not do a subtring search with something like "data=substring"?  For example if my data contains the string:


I can search for that full string using data=http://substring/foo/baz?bar but not the data search above. This seems quite odd to me. I have tried it with multiple fields in both indexed and raw mode.

If this is not possible it would be a great feature. I suppose what seems odd to me is that if the same log was in the siem I could do a substring search.

Thanks.
sk3tchebizz

Share post:

Answers

  • Have you tried adding any type of 'wildcard'? For example, I'm not sure if you can do this, but I'd give it a try

    "data=*substring*"
  • For the data field:
    Alphanumeric string; special chars allowed.

    I have tried using wildcards in various ways and other "legit" regex patterns. I am fairly confident the data string at the least reads your string as literal.

    Regex would be great. Not having access to the console negates my ability to use tools such as grep which a grep like interface would be fantastic to have for this.

Sign In or Register to comment.