Splunk Search

Can eval case match a fields value as a substring to another field?

Chandras11
Communicator

Hi All,

index="index1" sourcetype="SC1" OR sourcetype="SC2"  | eval Ticket_Main5 = (Ticket,1,5)| eval Ticket_master = case(sourcetype="SC2" AND like(LINK_LIST, Ticket_Main5),SC2_Ticket,1=1,"NotFound")

For example Ticket= "Z1234B" and LINK_LIST is "C1234A001;Z1234A;Z1234B" and SC2_Ticket is "C1234A" . So I need to extract Ticket_Main5 first. Then check this field in another field LINK_LIST inside eval case. There are other arguments in eval case as well, which I removed here.

Or is there any other way, where I can check if a field value is a substring of other field value.

0 Karma
1 Solution

niketn
Legend

@Chandras11, please try the following run anywhere example based on the details provided.

| makeresults 
| eval Ticket="Z1234B", LINK_LIST="C1234A001;Z1234A;Z1234B" , sourcetype="SC2" 
| eval Ticket_Main5 = substr(Ticket,1,13) 
| eval Ticket_master = case(sourcetype="SC2" AND match(LINK_LIST, Ticket_Main5),"SC2_Ticket",true(),"NotFound")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@Chandras11, please try the following run anywhere example based on the details provided.

| makeresults 
| eval Ticket="Z1234B", LINK_LIST="C1234A001;Z1234A;Z1234B" , sourcetype="SC2" 
| eval Ticket_Main5 = substr(Ticket,1,13) 
| eval Ticket_master = case(sourcetype="SC2" AND match(LINK_LIST, Ticket_Main5),"SC2_Ticket",true(),"NotFound")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Chandras11
Communicator

I tried the match() command in eval case, but it is always giving me a result "NotFound", even if there is a match.
So I checked the documentation and found that we have 3 possibilities:-
1. match(SUBJECT, "REGEX") -
2. like(TEXT, PATTERN) :-
3. in(VALUE-LIST)

In all 3 cases, The first argument is shown as the field but the second argument is some string.

0 Karma

niketn
Legend

@Chandras11, you might have to provide some raw sample event which is not working as expected.

I tried run anywhere search based on details provided and that works fine! I tested with Z1234A, Z1234B andZ1234C.

For A & B I got result as SC2_Ticket and for C NotFound. So next thing would be to figure out why the same would not work with Raw data.

Also, once you have identified them as SC2_Ticket and NotFound, is there subsequent activity you need to perform or is that the final pipe?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Chandras11
Communicator

What I really need the value of SC2_Ticket from the first event where Ticket_Main5 (SC1) is in LINK_LIST of SC2. "SC2_Ticket" as a string won't help.
However, It is possible to rename the fields for both sourcetypes and then combine another query to get the results

0 Karma

niketn
Legend

@Chandra11, you can add the following eval to create two new fields i.e. SC1_LINK_LIST and SC2_LINK_LIST and use required column as per your need.

| eval {sourcetype}_LINK_LIST=LINK_LIST

Following is a run anywhere search

| makeresults 
| eval LINK_LIST="A,B", sourcetype="SC1" 
| append 
    [| makeresults 
    | eval LINK_LIST="A B", sourcetype="SC2"]
| eval {sourcetype}_LINK_LIST=LINK_LIST
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Chandras11
Communicator

perfect, thanks for it. I can also use:- index="index1" sourcetype="SC1" OR sourcetype="SC2" | eval SC2_Link_List = if(sourcetype="SC2",LINK_LIST,null())

0 Karma

Chandras11
Communicator

inally I found some issue with my query. Ticket="Z1234B" is in sourcetype="SC1" and LINK_LIST is in sourcetype="SC2". If I remove sourcetype="SC2", the search will give me the results. The problem is that both sourcetype="SC1" and sourcetype="SC2" has a field called LINK_LIST and I just want to check it in "SC2" only.
I tried it with eval sub search and join but I am not able to resolve it. The other question is posted at https://answers.splunk.com/answers/668508/parameter-passing-between-2-searches-as-input-as-w.html : where you can find some dummy row data 🙂

0 Karma

Sukisen1981
Champion

hi, could there be trailing spaces involved? can you use a trim function to trim your fields before applying substr or case functions?

0 Karma

Chandras11
Communicator

No, there is no trailing space but it seems that the problem is involving 2 different source types with same field names.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...