Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use values of a field as part of regular expressions and match with values in other fields, this being done for a large data-set?

snipedown21
Path Finder
‎05-11-2017 11:02 PM

I have tables like below:

                      Personnel Name                                                     Person Name

               First Name       Last Name                                  First Name      Last Name

               Graham              Smith.Jr                                        Emily              Smith
               Brendon              Roy                                           Brendon           Johnson III
               Alicia                  Spinat                                         Norman            Alicia
              Mark                     Twain                                         Justin          Darlington

I want to match either the first name of the personnel name, with the first or last name of the person name or vice versa.
The interest of match here is to know if there is a remote match either in the first name or last name of the personnel and person.
But, I also want my search to eliminate the ".Jr" and "III" while matching and any other initials in the name.

here is what I have:

|table prsnl_name, person_name | eval splitofprsnl=split(prsnl_name,",")| eval field1=mvindex(splitofprsnl,0) | eval field2=mvindex(splitofprsnl,1) | eval splitofperson=split(person_name,",")| eval field3=mvindex(splitofperson,0) | eval field4=mvindex(splitofperson,1) | fields prsnl_name, person_name, field1, field2, field3, field4 | eval field1=trim(field1, " ") | eval field2=trim(field2, " ") | eval field3=trim(field3, " ") | eval field4=trim(field4, " ") | eval n1=if(match(field2,".*field3.*"),1,0) | eval n2=if(match(field3,".*field2.*"),1,0) | eval n3=if(match(field1,".*field4.*"),1,0) | eval n4=if(match(field4,".*field1.*"),1,0)

I'm really new to Splunk and help would be greatly appreciated.
Thank you.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-12-2017 08:17 AM

Give this a try

your base search |table prsnl_name, person_name 
| rex field=prsnl_name "(?<prsnl_first>.+)\s*,\s*(?<prsnl_last>.+)"
| rex field=person_name "(?<person_first>.+)\s*,\s*(?<person_last>.+)"
| eval n1=if(match(prsnl_name,person_first),1,0) 
| eval n2=if(match(prsnl_name,person_last),1,0) 
| eval n3=if(match(person_name,prsnl_first),1,0) 
| eval n4=if(match(person_name,prsnl_lat),1,0)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-12-2017 08:17 AM

Give this a try

your base search |table prsnl_name, person_name 
| rex field=prsnl_name "(?<prsnl_first>.+)\s*,\s*(?<prsnl_last>.+)"
| rex field=person_name "(?<person_first>.+)\s*,\s*(?<person_last>.+)"
| eval n1=if(match(prsnl_name,person_first),1,0) 
| eval n2=if(match(prsnl_name,person_last),1,0) 
| eval n3=if(match(person_name,prsnl_first),1,0) 
| eval n4=if(match(person_name,prsnl_lat),1,0)
0 Karma
Reply
Solved! Jump to solution

snipedown21
Path Finder
‎05-14-2017 10:23 PM

It works just fine. Thank you.
Appreciate it Mate.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...