Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Removing string values and then matching field values?

ichesla1111
Path Finder
‎09-12-2022 12:26 PM

Hello, I am trying to match values in two different columns to see if both data sets contain the same serial number for a cellphone part. 

My search:

index=.. my search..... CellNumber="978499-" |dedup CellSerialNumber |table CellNumber CellSerialNumber

|appendcols [search ......CellNumber="978499-ALL" |dedup CellSerial |table CellNumber CellSerial]

| eval result=if(match(CellSerial,"%".CellSerialNumber."%"),"Contained", "Not Contained")


Results:

ichesla1111_1-1663010625013.png

 

Looking deeper into the data I see there is CellSerialNumber values with their last 6 digits (-6digits) equal to the six digit CellSerial number, yet they are given a "Not contained" value.

Why is this??

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:07 PM

I think you should do the following:

write a search - best without an appendcols, join, dedup, etc - where you get events where the field CellSerialNumber  OR CellSerial  has a value. After this, you create a new field like "testnumber" which will be filled with the last digits of CellSerialNumber OR with CellSerial, depending which the event has. Then you can create a chart values(CellSerialNumber) count(CellSerialNumber) values(CellSerial) count(CellSerial) by testnumber, so you'll get your needed information aggregated. Then you can check if both counters are greater than 1 and if so it is containing. You could also do a fillnull and search for 0 and say it es not containing 😉

View solution in original post

Reply
Solved! Jump to solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:13 PM

if they are from different indexes (I suppose this is ment by different data sets?) you can also do something like "index=a OR index=b", so you'll get events out of both indexes

0 Karma
Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:29 PM

Perfect! I can do that, but each cell serial number starts with "978499-5-****" where the "978499-5- is constant for every CellSerialNumber where the **** is the unique identifier which would be equal to the Cell serial value if they are in both data sets. 

I am trying the trim command:  | eval CellserialNumber=ltrim(CellserialNumber," 978499-5-"), yet when doing this, it cut's of some of the numerical values when it returns the answer. Would there be a way to do this with the rex command?

0 Karma
Reply
Solved! Jump to solution
Solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:07 PM

I think you should do the following:

write a search - best without an appendcols, join, dedup, etc - where you get events where the field CellSerialNumber  OR CellSerial  has a value. After this, you create a new field like "testnumber" which will be filled with the last digits of CellSerialNumber OR with CellSerial, depending which the event has. Then you can create a chart values(CellSerialNumber) count(CellSerialNumber) values(CellSerial) count(CellSerial) by testnumber, so you'll get your needed information aggregated. Then you can check if both counters are greater than 1 and if so it is containing. You could also do a fillnull and search for 0 and say it es not containing 😉

Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:28 PM

I am trying your appraoch for the values and stats column chart, but how would I use rex to cutt of the first part of the CellserialNumber? Right now each cell serial number starts with "978499-5-****" where the "978499-5- is constant for every CellserialNumber where the **** is the unique identifier which would be equal to the Cell serial value if they are in both data sets. 

I am trying the trim command:  | eval CellserialNumber=ltrim(CellserialNumber," 978499-5-"), yet when doing this, it cut's of some of the numerical values when it returns the answer. Would there be a way to do this with the rex command?

0 Karma
Reply
Solved! Jump to solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:32 PM

| rex field=CellserialNumber "978499-5-(?<testnumber>.*)"

Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:42 PM

Thank you!!!!

0 Karma
Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:11 PM

Thank you for getting back to me! Unfortunately, I have to do an appendcols command for the CellSerialNumber and CellSerial field values are from different data sets. 

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...