- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can eval case match a fields value as a substr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
index="index1" sourcetype="SC1" OR sourcetype="SC2" | eval Ticket_Main5 = (Ticket,1,5)| eval Ticket_master = case(sourcetype="SC2" AND like(LINK_LIST, Ticket_Main5),SC2_Ticket,1=1,"NotFound")
For example Ticket= "Z1234B" and LINK_LIST is "C1234A001;Z1234A;Z1234B" and SC2_Ticket is "C1234A" . So I need to extract Ticket_Main5 first. Then check this field in another field LINK_LIST inside eval case. There are other arguments in eval case as well, which I removed here.
Or is there any other way, where I can check if a field value is a substring of other field value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Chandras11, please try the following run anywhere example based on the details provided.
| makeresults
| eval Ticket="Z1234B", LINK_LIST="C1234A001;Z1234A;Z1234B" , sourcetype="SC2"
| eval Ticket_Main5 = substr(Ticket,1,13)
| eval Ticket_master = case(sourcetype="SC2" AND match(LINK_LIST, Ticket_Main5),"SC2_Ticket",true(),"NotFound")
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Chandras11, please try the following run anywhere example based on the details provided.
| makeresults
| eval Ticket="Z1234B", LINK_LIST="C1234A001;Z1234A;Z1234B" , sourcetype="SC2"
| eval Ticket_Main5 = substr(Ticket,1,13)
| eval Ticket_master = case(sourcetype="SC2" AND match(LINK_LIST, Ticket_Main5),"SC2_Ticket",true(),"NotFound")
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried the match() command in eval case, but it is always giving me a result "NotFound", even if there is a match.
So I checked the documentation and found that we have 3 possibilities:-
1. match(SUBJECT, "REGEX") -
2. like(TEXT, PATTERN) :-
3. in(VALUE-LIST)
In all 3 cases, The first argument is shown as the field but the second argument is some string.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Chandras11, you might have to provide some raw sample event which is not working as expected.
I tried run anywhere search based on details provided and that works fine! I tested with Z1234A, Z1234B andZ1234C.
For A & B I got result as SC2_Ticket and for C NotFound. So next thing would be to figure out why the same would not work with Raw data.
Also, once you have identified them as SC2_Ticket and NotFound, is there subsequent activity you need to perform or is that the final pipe?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I really need the value of SC2_Ticket from the first event where Ticket_Main5 (SC1) is in LINK_LIST of SC2. "SC2_Ticket" as a string won't help.
However, It is possible to rename the fields for both sourcetypes and then combine another query to get the results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Chandra11, you can add the following eval to create two new fields i.e. SC1_LINK_LIST and SC2_LINK_LIST and use required column as per your need.
| eval {sourcetype}_LINK_LIST=LINK_LIST
Following is a run anywhere search
| makeresults
| eval LINK_LIST="A,B", sourcetype="SC1"
| append
[| makeresults
| eval LINK_LIST="A B", sourcetype="SC2"]
| eval {sourcetype}_LINK_LIST=LINK_LIST
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perfect, thanks for it. I can also use:- index="index1" sourcetype="SC1" OR sourcetype="SC2" | eval SC2_Link_List = if(sourcetype="SC2",LINK_LIST,null())
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inally I found some issue with my query. Ticket="Z1234B" is in sourcetype="SC1" and LINK_LIST is in sourcetype="SC2". If I remove sourcetype="SC2", the search will give me the results. The problem is that both sourcetype="SC1" and sourcetype="SC2" has a field called LINK_LIST and I just want to check it in "SC2" only.
I tried it with eval sub search and join but I am not able to resolve it. The other question is posted at https://answers.splunk.com/answers/668508/parameter-passing-between-2-searches-as-input-as-w.html : where you can find some dummy row data 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi, could there be trailing spaces involved? can you use a trim function to trim your fields before applying substr or case functions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, there is no trailing space but it seems that the problem is involving 2 different source types with same field names.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
