Splunk Search

compare a search results

vinoth12
New Member

Hi all,

There are 2 fields, A and B...

Values of A
apple
ora nge
kite
drink
mask

Values of B are

orange.12
orange.18
apple
oops
splunk
maskaz@op
@orange

I should get result as follow, whatever the values from field A matches like apple in field B.. , also if field A values are separated by space.. It should consider as a single word..

orange.12
orange.18
@orange
apple

Please help!

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

This sounds like some sort of homework question or something you are doing for a job interview. But I'll assume it's just that you decided to come up with an abstraction of the problem and that the abstraction just looks like one of those things. 🙂

So, on to the solution:

The idea I use below is to use the rex command in sed mode to change spaces into nothing (e.g remove them) . I then use the eval match() command to see if that string matches inside the one you want to match with or not.

| makeresults | eval a="ora nge", b="orange.12"
| rex mode=sed field=a "s/ //g"
| eval Matches = if(match(b, a), "Matches", "No match")

That first line just sets up the example run-anywhere search using makeresults and an eval (e.g. "creates" an event).

The second line is the rex to remove the space. So now that we have a field a without spaces, we can ...

Line three checks if the newly cleaned up field a exists inside field b anywhere. You'll notice you don't need wildcards. This is due to a reason too long to get into here, but if you find a regex tutorial online you'll figure it out pretty quick that this is how regular expressions work.

Note, you haven't mentioned what you want to DO with this result so I'm not sure where to take the answer from here, but know there are some variants that may be useful. For instance if you were only ever going to use it as a filter of a sort and never display the result for humans to read, then I wouldn't waste cognitive energy on using strings like that ("match" or "no match") and instead just make field Matches a 1 or a zero. Like:

...
| eval Matches = if(match(b, a), 1, 0)
| search Matches=1

To filter to only ones that match.

Happy Splunking!
-Rich

View solution in original post

0 Karma

vinoth12
New Member

Thanks a lot Rich..
Thanks for helping me.. I thought of wildcards will not work... so I struck over there... Once again thanks for getting me output

0 Karma

Richfez
SplunkTrust
SplunkTrust

This sounds like some sort of homework question or something you are doing for a job interview. But I'll assume it's just that you decided to come up with an abstraction of the problem and that the abstraction just looks like one of those things. 🙂

So, on to the solution:

The idea I use below is to use the rex command in sed mode to change spaces into nothing (e.g remove them) . I then use the eval match() command to see if that string matches inside the one you want to match with or not.

| makeresults | eval a="ora nge", b="orange.12"
| rex mode=sed field=a "s/ //g"
| eval Matches = if(match(b, a), "Matches", "No match")

That first line just sets up the example run-anywhere search using makeresults and an eval (e.g. "creates" an event).

The second line is the rex to remove the space. So now that we have a field a without spaces, we can ...

Line three checks if the newly cleaned up field a exists inside field b anywhere. You'll notice you don't need wildcards. This is due to a reason too long to get into here, but if you find a regex tutorial online you'll figure it out pretty quick that this is how regular expressions work.

Note, you haven't mentioned what you want to DO with this result so I'm not sure where to take the answer from here, but know there are some variants that may be useful. For instance if you were only ever going to use it as a filter of a sort and never display the result for humans to read, then I wouldn't waste cognitive energy on using strings like that ("match" or "no match") and instead just make field Matches a 1 or a zero. Like:

...
| eval Matches = if(match(b, a), 1, 0)
| search Matches=1

To filter to only ones that match.

Happy Splunking!
-Rich

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...