topic Re: How to adjust search to include names that are also hyphenated in Splunk Search

How to adjust search to include names that are also hyphenated

dougsummersett — Mon, 25 Nov 2019 18:30:48 GMT

We ingest patient records into Splunk and some compliance users need to search to see if an employee accessed records of family members. We create a report that shows any employee that accesses a record that exactly matches their last name. This will not match any patients that might be hyphenated or apostrophe.

How can I adjust my search to make it not an exact match but if it contains the same value?

Re: How to adjust search to include names that are also hyphenated

oscar84x — Mon, 25 Nov 2019 18:56:46 GMT

Could you share your search as well a sample event or just the field containing the value you're searching for?

Re: How to adjust search to include names that are also hyphenated

dougsummersett — Wed, 30 Sep 2020 03:08:40 GMT

Here is the search we are using to match the user and patient's last names.

index="clinical_applications" sourcetype=app | eval USER_NAME=split(USER_NAME,",") | eval USER_NAME_LAST=mvindex(USER_NAME,0) | eval USER_NAME_FIRST=mvindex(USER_NAME,1) | eval PATIENT_LAST_NAME=upper(PATIENT_LAST_NAME) | eval PATIENT_FIRST_NAME=upper(PATIENT_FIRST_NAME) | where PATIENT_LAST_NAME = USER_NAME_LAST | strcat PATIENT_FIRST_NAME " " PATIENT_LAST_NAME PATIENT_NAME | convert ctime(_time) as Time | rename EPIC_ENTERPRISE_MRN_ID as MRN_ID | rename METRIC_DESCRIPTION as ACTION | table Time,USER_NAME,WORKSTATION,PATIENT_NAME,MRN_ID,ENVIRONMENT,ACTION

Re: How to adjust search to include names that are also hyphenated

dougsummersett — Tue, 26 Nov 2019 14:49:48 GMT

In this search, we split the user_name field into first and last name then convert to upper case then compare the user last name and patient last name. After that we make it pretty for the users to read.

Re: How to adjust search to include names that are also hyphenated

aberkow — Tue, 26 Nov 2019 16:09:02 GMT

Hi - I played around with a bunch of the options from here: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/ConditionalFunctions#match.28SUBJECT.2C_.22REGEX.22.29

And got the below code to work -

{code}
| makeresults count=1
| streamstats count
| eval Name2 = "Name2"
| eval hyphenNameThatShouldMatch=case(count=1, "Name1-Name2")
| eval hyphenNameThatShouldntMatch=case(count=1, "Name3-Name4")
| eval match=case(like(hyphenNameThatShouldMatch,"%".Name2."%"), 1)
| eval shouldntMatch=case(like(hyphenNameThatShouldntMatch,"%".Name2."%"), 1)
| table Name2, hyphenNameThatShouldMatch, match, hyphenNameThatShouldntMatch, shouldntMatch
{code}

Basically, you asked Splunk to return a bool for whether there was a "like" regex match for the name with wildcards on each side, you can trim this if you know things like where the pattern should match more accurately.

Hope this helps!

Re: How to adjust search to include names that are also hyphenated

woodcock — Wed, 27 Nov 2019 00:34:19 GMT

Here is a run-anywhere search that proves that hyphenated searches do work:

index=_* AND "data.instance_guid"="*-*-*-*-*"

Are you saying that one of your datasets has stripped the hyphens and apostrophes from the dataset so you need to normalize one side or the other to do the search?