Splunk Search

position of a string in another string

brettcave
Builder

I was looking through the functions available for locating the position of 1 string in another string, and couldn't see one (in http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/CommonEvalFunctions).

While mvindex and substr will return the element at a position in a string or mv item, mvfind is meant to return the index of an element in an mv field.

However, is there no function to get the position of a string within another string (e.g. php's strpos function). "match" returns a boolean on matching a string, but if a function that worked the same as match, but returned a numeric value for the number of matches would give a lot more scope to eval.

eval n=match_count("search","[ae]")
// n = 2. 0 means no matches
1 Solution

brettcave
Builder
... | transaction mvlist=t SessionID | ....

mvlist=t - order based on natural order (sequence of events).
mvlist=f - lexigraphical ordering (default)

View solution in original post

brettcave
Builder
... | transaction mvlist=t SessionID | ....

mvlist=t - order based on natural order (sequence of events).
mvlist=f - lexigraphical ordering (default)

brettcave
Builder

Thanks echalex,

I have been trying to get it to work, but not really coming right. It could possibly be due to a transaction.

Given I have logs:

date - sessionId: xyz, uri: "/"
date - sessionId: xyz, uri: "/login"
date - sessionId: xyz, uri: "/signup"

with the dates increasing, when I add to a transaction, it merges all the entries. So with an mvindex on a split, it should split on the "/login" string, and mvindex 0 should return "date - .... "/".... uri:" but I am not getting it as expected... 😞

someSearch | transaction SessionID | eval n=mvindex(split(uri,"/login"),0)
0 Karma

echalex
Builder

Hi brettcave,
You could split the field into a mv-field and take the length of the first value of the mv-field:

eval foo=mvindex(split(your_field, "your string"),0) |eval bar=if(foo!=your_field,len(foo),-1)

The second eval will give foo the value -1 if "your string" isn't in your_field. Otherwise, it's the index. (To be exact, the number of characters before "your string". Change -1 to whatever you like.

HTH

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...