Hey,
I got a few indexes in splunk and I want to compare two different values
but like the first 10bytes of the first value and the last 10bytes of the second value.
Like if it's
search (index1 or index2) | where value1[0:10]=value2[-10::]
value1=0123456789hiiiiiiiiiiiiiiiii
value2=hiiiiiiiiii0123456789
will return true.
You can use the substr
function.
(index=index1 OR index=index2) | where substr(value1,1,10)==substr(value2,-10)
Note that it's VERY inefficient to use a base search without any filtering like this. If possible you should try to find ways to filter how much data comes out of the base search.
http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/CommonEvalFunctions
Take a look at this:
| stats count | eval value1="0123456789hiiiiiiiiiiiiiiiii" | eval value2="hiiiiiiiiii0123456789" | eval match = if(substr(value1, 0, 10) == substr(value2, -10, 10), "match", "no match")
Gives me "match".