topic Re: Searching a field using another field in Reporting

Searching a field using another field

ISP8055 — Thu, 26 Nov 2020 16:48:20 GMT

Hi there,

I want to search events for example A =B*xy

Where B is another field name with different values depending on user input. * is the wildcard

So. I'm looking for events where A would be NYabxy, NYccxy, etc. Here value of B is NY

How would I do search syntax?
This doesn't work:
| search A=B*xy
as here B is considered a string not a field name.

would
"where" be better alternative?

The main point of me doing this I wanna make my search more efficient as I want Splunk to only search events where A=NY*xy is applicable instead of searching every event with A field.

Re: Searching a field using another field

richgalloway — Thu, 26 Nov 2020 17:49:18 GMT

Yes, where is better than search in this case. The search command accepts only strings and patterns on the RHS whereas the where command also accepts fields and expressions. You could do something like this:

index=foo A=* | where match(A,B.".*xy")

Here, the match function compares a field to a regular expression. That regex is a concatention of field B, a wildcard (.*) and "xy".

Note that this does not save the indexers from reading all values of A, but it does filter A early so that helps some.

Re: Searching a field using another field

ISP8055 — Thu, 26 Nov 2020 19:56:58 GMT

Hi there,

I applied this syntax. I'm getting the following error:
Error in 'where' command: The expression is malformed. Expected ).

Re: Searching a field using another field

richgalloway — Thu, 26 Nov 2020 20:44:29 GMT

Hmm... Try this alternative

index=foo A=* | where match(A,'B' . ".*xy")