Splunk Search

How to search if a string exists in a variable number of columns?

Kukkadapu
Path Finder

Hi,

I have multiple columns (number of columns may vary) and wanted to search a string if it exists in any of the columns. How do I do this using a simple search?

Log example: There are three statements

Id_1="abc" Id_2="xyz"  Id_3="123"  Id_4="abcd"  Id_5="abc"  Id_6="abc"
Id_1="abc" Id_2="xyz"  Id_3="123"  
Id_1="abc" Id_2="123"  Id_3="123"  Id_4="abcd"  Id_5="abc"  Id_6="abc" Id_7="123"

I've used the table command like this: | table Id_* to get a table of Id's
OUTPUT for the above search:

Id_1="abc" Id_2="xyz"  Id_3="123"  Id_4="abcd"  Id_5="abc"  Id_6="abc" Id_7="xyz"
Id_1="abc" Id_2="xyz"  Id_3="123"  Id_4=null         Id_5=null    Id_6=null    Id_7=null
Id_1="abc" Id_2="123"  Id_3="123"  Id_4="abcd"  Id_5="abc"  Id_6="abc" Id_7="123"

Now I wanted to search/get the records where Id_* is "xyz" . Can you help me with the search?

Thanks.

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

If you just want the field names you could use something like this instead (not tested so play around with the quotes):

| eval fieldnames = ""
| foreach Id_* [eval fieldnames = if(match(<<FIELD>>, "xyz"), "<<FIELD>>" . fieldnames, fieldnames)]

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

If you just want the field names you could use something like this instead (not tested so play around with the quotes):

| eval fieldnames = ""
| foreach Id_* [eval fieldnames = if(match(<<FIELD>>, "xyz"), "<<FIELD>>" . fieldnames, fieldnames)]
0 Karma

Kukkadapu
Path Finder

Perfect , This worked. It created a new column - "fieldnames" with the original column name. I could just search the new column which has no nulls.

Thanks for your time Javiergn.

0 Karma

sundareshr
Legend

You could add "xyz" to you search. Like this index=* "xyz" | table id_*

Kukkadapu
Path Finder

Hi Sundareshr, Yeah , but the search string is also going to be in the other columns. I wanted to search only in the column Id_*

Thanks

0 Karma

sundareshr
Legend

Try this

.. | table id_* | foreach ID_* [eval x=<<MATCHSTR>>."@@@"] | search x="xyz"
0 Karma

Kukkadapu
Path Finder

Can you explain the query please? I'm seeing this error

Failed to parse templatized search for field 'Id_1'
Failed to parse templatized search for field 'Id_2'
Failed to parse templatized search for field 'Id_3'
Failed to parse templatized search for field 'Id_4'

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...