Hi all,
Hopefully my title makes sense, I'm trying to filter my results depending on the format of the username. I'm pumping in the logs from a web filter into Splunk and I want to separate out users depending on whether their username contains numbers or not. For example: andrew.smith or joe.blogs123
I'd like to be able to create a condition where I tell Splunk: "If username contains [digits]" then only display those search results.
Is this possible within Splunk?
Any help is greatly appreciated! Thanks 🙂
Edited to avoid confusion.
Hi,
You can try to use the match
function like in this example and filter on the new field created:
| makeresults
| eval username ="joe.blogs132"
| append
[| makeresults
| eval username ="andrew.smith"]
| eval Type = if(match(username,"\d"),"Student","Staff")
| where Type = "Student"
Like that you can chose if you want to match a student or a staff, as you want.
Let me know if it help you 🙂
Kail
Hi,
You can try to use the match
function like in this example and filter on the new field created:
| makeresults
| eval username ="joe.blogs132"
| append
[| makeresults
| eval username ="andrew.smith"]
| eval Type = if(match(username,"\d"),"Student","Staff")
| where Type = "Student"
Like that you can chose if you want to match a student or a staff, as you want.
Let me know if it help you 🙂
Kail
Hi Kail, thanks for your reply.
Apologies, I may communicated my intentions incorrectly. I do not need to specify whether the user is a student or staff, I just need to filter out any username that contains numbers. I have thousands of users, therfore it would need to be a simple variable and not specifying individual usernames.
For example: If username contains numbers, do not include in the search result.
Thanks for your help though.
Ok so something like that I guess:
Base search
| where NOT match(username,"\d")
or with @vnravikumar solution (the regex
one)
Unfortunately, you can not do it directly in the base search.
You've got it! Thank you very much, just tested and that's exactyl what I needed. You're a star!
Hi @danfinan
Try this and let me know
| makeresults
| eval username ="joe.blogs123"
| regex username ="\d"
OR
| makeresults
| eval username ="joe.blogs123,andrew.smith"
| makemv delim="," username
| mvexpand username
| eval result= if(match(username,"\d"),"student","staff")