topic Re: Can eval case match a fields value as a substring to another field? in Splunk Search

Can eval case match a fields value as a substring to another field?

Chandras11 — Tue, 29 Sep 2020 20:12:59 GMT

Hi All,

index="index1" sourcetype="SC1" OR sourcetype="SC2"  | eval Ticket_Main5 = (Ticket,1,5)| eval Ticket_master = case(sourcetype="SC2" AND like(LINK_LIST, Ticket_Main5),SC2_Ticket,1=1,"NotFound")

For example Ticket= "Z1234B" and LINK_LIST is "C1234A001;Z1234A;Z1234B" and SC2_Ticket is "C1234A" . So I need to extract Ticket_Main5 first. Then check this field in another field LINK_LIST inside eval case. There are other arguments in eval case as well, which I removed here.

Or is there any other way, where I can check if a field value is a substring of other field value.

Re: Can eval case match a fields value as a substring to another field?

niketn — Thu, 28 Jun 2018 07:32:47 GMT

@Chandras11, please try the following run anywhere example based on the details provided.

| makeresults 
| eval Ticket="Z1234B", LINK_LIST="C1234A001;Z1234A;Z1234B" , sourcetype="SC2" 
| eval Ticket_Main5 = substr(Ticket,1,13) 
| eval Ticket_master = case(sourcetype="SC2" AND match(LINK_LIST, Ticket_Main5),"SC2_Ticket",true(),"NotFound")

Re: Can eval case match a fields value as a substring to another field?

Chandras11 — Thu, 28 Jun 2018 07:48:17 GMT

I tried the match() command in eval case, but it is always giving me a result "NotFound", even if there is a match.
So I checked the documentation and found that we have 3 possibilities:-
1. match(SUBJECT, "REGEX") -
2. like(TEXT, PATTERN) :-
3. in(VALUE-LIST)

In all 3 cases, The first argument is shown as the field but the second argument is some string.

Re: Can eval case match a fields value as a substring to another field?

Chandras11 — Thu, 28 Jun 2018 07:54:17 GMT

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/ConditionalFunctions

Re: Can eval case match a fields value as a substring to another field?

niketn — Thu, 28 Jun 2018 08:02:33 GMT

@Chandras11, you might have to provide some raw sample event which is not working as expected.

I tried run anywhere search based on details provided and that works fine! I tested with Z1234A, Z1234B andZ1234C.

For A & B I got result as SC2_Ticket and for C NotFound. So next thing would be to figure out why the same would not work with Raw data.

Also, once you have identified them as SC2_Ticket and NotFound, is there subsequent activity you need to perform or is that the final pipe?

Re: Can eval case match a fields value as a substring to another field?

Sukisen1981 — Thu, 28 Jun 2018 08:09:13 GMT

hi, could there be trailing spaces involved? can you use a trim function to trim your fields before applying substr or case functions?

Re: Can eval case match a fields value as a substring to another field?

Chandras11 — Thu, 28 Jun 2018 08:24:29 GMT

No, there is no trailing space but it seems that the problem is involving 2 different source types with same field names.

Re: Can eval case match a fields value as a substring to another field?

Chandras11 — Tue, 29 Sep 2020 20:13:05 GMT

inally I found some issue with my query. Ticket="Z1234B" is in sourcetype="SC1" and LINK_LIST is in sourcetype="SC2". If I remove sourcetype="SC2", the search will give me the results. The problem is that both sourcetype="SC1" and sourcetype="SC2" has a field called LINK_LIST and I just want to check it in "SC2" only.
I tried it with eval sub search and join but I am not able to resolve it. The other question is posted at https://answers.splunk.com/answers/668508/parameter-passing-between-2-searches-as-input-as-w.html : where you can find some dummy row data 🙂

Re: Can eval case match a fields value as a substring to another field?

Chandras11 — Tue, 29 Sep 2020 20:13:07 GMT

What I really need the value of SC2_Ticket from the first event where Ticket_Main5 (SC1) is in LINK_LIST of SC2. "SC2_Ticket" as a string won't help.
However, It is possible to rename the fields for both sourcetypes and then combine another query to get the results

Re: Can eval case match a fields value as a substring to another field?

niketn — Tue, 29 Sep 2020 20:13:10 GMT

@Chandra11, you can add the following eval to create two new fields i.e. SC1_LINK_LIST and SC2_LINK_LIST and use required column as per your need.

| eval {sourcetype}_LINK_LIST=LINK_LIST

Following is a run anywhere search

| makeresults 
| eval LINK_LIST="A,B", sourcetype="SC1" 
| append 
    [| makeresults 
    | eval LINK_LIST="A B", sourcetype="SC2"]
| eval {sourcetype}_LINK_LIST=LINK_LIST

Re: Can eval case match a fields value as a substring to another field?

Chandras11 — Tue, 29 Sep 2020 20:13:13 GMT

perfect, thanks for it. I can also use:- index="index1" sourcetype="SC1" OR sourcetype="SC2" | eval SC2_Link_List = if(sourcetype="SC2",LINK_LIST,null())