topic Re: Relative pattern matching in Splunk Search

Relative pattern matching

pmehta77 — Thu, 28 Dec 2017 17:37:37 GMT

I am trying to do relative searches over multiple sources. I want to be able search source1 in source2 or vice versa to the closest match. For example
Source1:

Publisher Name Version
Microsoft SQL Server 2008
Microsft Office 2010

Source2:
Product
Microsoft SQL Server Common Files
Microsoft SQL Server 2012
Microsoft SQL Server 2008
Any help would be appreciated.

Re: Relative pattern matching

richgalloway — Thu, 28 Dec 2017 18:32:01 GMT

It's not clear what you hope to achieve. What do you mean by "relative pattern"? Given those two sources, what do you want the search results to be?

Re: Relative pattern matching

pmehta77 — Thu, 28 Dec 2017 21:16:10 GMT

Ok. Let me try to clarify it again. So i am looking for a relative match between , for example , IBM Tivoli Endpoint Manager and IBM Endpoint Manager. The reason its a relative match is because only one word
"Tivoli "is missing from name in source2. Similarly if i have Oracle JBEA Rocket in Source1 and Source2 has "BEA Rocket" that should be a close match. I hope that clarifies otherwise i will make another example. My personal thought was that i need to use a Fuzzy search mechanism or a cluster search that can bring out matching event types. But I am not sure how to apply that across multiple sources.

Re: Relative pattern matching

micahkemp — Thu, 28 Dec 2017 21:24:04 GMT

There is a Levenshtein app for Splunk. It makes use of Levenshtein distance, which sounds like it may suit your needs.