Solved: Is there a way to check if a field value is presen...

jluo_splunk · ‎01-21-2016

The transaction command has the options startswith and endswith, but is there a "contains" of some sort that can be used, just to say that somewhere in the transaction there should be some field value?

MattZerfas · ‎01-21-2016

I have used a regex in a match statement before like below and it seems to work fine. Maybe try that?

startswith=eval(match(eventName,".*SkipFwd"))

View solution in original post

MattZerfas · ‎01-21-2016

I have used a regex in a match statement before like below and it seems to work fine. Maybe try that?

startswith=eval(match(eventName,".*SkipFwd"))

MattZerfas · ‎01-21-2016

O then you could just do a |search foo=bar or |where foo=bar after your transaction depending on what you are wanting to look for.

jluo_splunk · ‎01-22-2016

That did it - thank you MattZerfas!

jluo_splunk · ‎01-21-2016

My issue is I don't necessarily want it to start with this field value. I just want to check that the field value is somewhere in there, not necessarily the beginning or the end.

javiergn · ‎01-21-2016

Is this what you are talking about?

startswith=eval(match(yourfield,"yourvalue"))
endswith=eval(match(yourfield,"yourvalue"))

You can use regex too or even conditionals inside your eval.
See transaction reference help page.

jluo_splunk · ‎01-21-2016

My issue is I don't necessarily want it to start with this field value. I just want to check that the field value is somewhere in there, not necessarily the beginning or the end.

Is there a way to check if a field value is present in a transaction?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!