Splunk Search

How to use values of a field as part of regular expressions and match with values in other fields, this being done for a large data-set?

snipedown21
Path Finder

I have tables like below:


                      Personnel Name                                                     Person Name

               First Name       Last Name                                  First Name      Last Name

               Graham              Smith.Jr                                        Emily              Smith
               Brendon              Roy                                           Brendon           Johnson III
               Alicia                  Spinat                                         Norman            Alicia
              Mark                     Twain                                         Justin          Darlington

I want to match either the first name of the personnel name, with the first or last name of the person name or vice versa.
The interest of match here is to know if there is a remote match either in the first name or last name of the personnel and person.
But, I also want my search to eliminate the ".Jr" and "III" while matching and any other initials in the name.

here is what I have:

|table prsnl_name, person_name | eval splitofprsnl=split(prsnl_name,",")| eval field1=mvindex(splitofprsnl,0) | eval field2=mvindex(splitofprsnl,1) | eval splitofperson=split(person_name,",")| eval field3=mvindex(splitofperson,0) | eval field4=mvindex(splitofperson,1) | fields prsnl_name, person_name, field1, field2, field3, field4 | eval field1=trim(field1, " ") | eval field2=trim(field2, " ") | eval field3=trim(field3, " ") | eval field4=trim(field4, " ") | eval n1=if(match(field2,".*field3.*"),1,0) | eval n2=if(match(field3,".*field2.*"),1,0) | eval n3=if(match(field1,".*field4.*"),1,0) | eval n4=if(match(field4,".*field1.*"),1,0)

I'm really new to Splunk and help would be greatly appreciated.
Thank you.

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search |table prsnl_name, person_name 
| rex field=prsnl_name "(?<prsnl_first>.+)\s*,\s*(?<prsnl_last>.+)"
| rex field=person_name "(?<person_first>.+)\s*,\s*(?<person_last>.+)"
| eval n1=if(match(prsnl_name,person_first),1,0) 
| eval n2=if(match(prsnl_name,person_last),1,0) 
| eval n3=if(match(person_name,prsnl_first),1,0) 
| eval n4=if(match(person_name,prsnl_lat),1,0) 

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search |table prsnl_name, person_name 
| rex field=prsnl_name "(?<prsnl_first>.+)\s*,\s*(?<prsnl_last>.+)"
| rex field=person_name "(?<person_first>.+)\s*,\s*(?<person_last>.+)"
| eval n1=if(match(prsnl_name,person_first),1,0) 
| eval n2=if(match(prsnl_name,person_last),1,0) 
| eval n3=if(match(person_name,prsnl_first),1,0) 
| eval n4=if(match(person_name,prsnl_lat),1,0) 
0 Karma

snipedown21
Path Finder

It works just fine. Thank you.
Appreciate it Mate.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...