topic Re: evaluate multiple fields in Splunk Search

evaluate multiple fields

xyz123 — Wed, 03 Feb 2021 02:26:32 GMT

Hello,
I have 2 fields I want to filter they are: name, "short name"

I want to pull all the events that contains: name="software" or "short name"=software"
and exclude: "Splunk" "Adobe" "Microsoft".. and another 50 names for both fields

I have this for the exclusion:

One question: is there a way to put this in 1 sentence instead of use duplication like above?
for example:

| regex (name| "short name")!="(.*)((?i)(splunk|acrobat|microsoft)(.*)"

Thanks,
xyz123

Re: evaluate multiple fields

bowesmana — Wed, 03 Feb 2021 03:16:34 GMT

You can use the 'where' command instead of regex and do

Note that in a where clause, the field names have the same rules as in eval statements, i.e. for fields containing non standard characters, you need to wrap the field in single quotes

Re: evaluate multiple fields

manjunathmeti — Wed, 03 Feb 2021 04:48:01 GMT

hi @xyz123 ,

If fields name and "short name" part of your index then you can filter them in the main search only. This will be much faster.

For your question, if you want the same query to filter values for 2 fields, you can create a macro and use it in your search.

1. Create a macro with an argument.

macros.conf

2. Use that macro in your search.

index=indexname sorcetype=sourcetypename NOT [`filter_software("name")`] NOT [`filter_software("short name")`]

If this reply helps you, an upvote/like would be appreciated.

Re: evaluate multiple fields

xyz123 — Fri, 05 Feb 2021 13:43:26 GMT

I like this solution show my code clean, and yes I'm filtering my fields, "name" and 'short name" at the "index" line, thanks

Re: evaluate multiple fields

xyz123 — Fri, 05 Feb 2021 13:45:04 GMT

I tried, this but since they are around more than 50 "name" it's going to take a lot of code that's why I went using RegEx, thanks so much for your reply.