Taking Value of One Field, Adding Text, And Compar...

SplunkLunk · ‎09-02-2021

Greetings,

I want to exclude search results if a field contains a value compared against another field with additional text added. So it would look something like this:

Field1=value

Field2=Field1+[text]

Field3=[value2]

Exclude results where Field2=Field1+[text] and Field3=[value2]

Can anyone tell me what the syntax in Splunk would be? Thanks.

shivanshu1593 · ‎09-02-2021

Hello @SplunkLunk ,

Please try something like this:

| your base query

| eval match_field = if(match(field2,"regex to match the values that you want to find", "Match","No Match"))

| where NOT (match_field="Match" AND Field3=[value2])

| rest of your query

Hope this helps.

Thanks,

S

***If it helped, Please accept it as an answer. It helps others to find the solutions to similar problems quickly***

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

Taking Value of One Field, Adding Text, And Comparing Against Another Field

eval

fields

subsearch

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!