https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351858#M165997 <P>Heh. We've encountered this kind of question before. I'm starting to think it's a class assignment somewhere. Here's one version...</P> <P><A href="https://answers.splunk.com/answers/56112/how-can-i-aggregate-some-values-of-a-field-and-divide-a-list-into-2-parts.html">https://answers.splunk.com/answers/56112/how-can-i-aggregate-some-values-of-a-field-and-divide-a-list-into-2-parts.html</A></P> <P>The basic form of the test required is like this...</P> <PRE><CODE>| rex "(?i)(?&lt;matchword&gt;firstword|secondword|thirdword|morewords)" max_match=0 | where mvcount(matchword)&gt;1 </CODE></PRE> <P>...and you can build the rex with code like this if your lookup table is going to be stable...</P> <P><A href="https://answers.splunk.com/answers/501920/how-to-create-a-custom-field-to-match-a-particular.html">https://answers.splunk.com/answers/501920/how-to-create-a-custom-field-to-match-a-particular.html</A></P> <P>... ah, this may be the whole thing, or at last closely related...</P> <P><A href="https://answers.splunk.com/answers/555958/search-based-on-word-match.html">https://answers.splunk.com/answers/555958/search-based-on-word-match.html</A></P> Wed, 20 Sep 2017 21:44:24 GMT DalJeanis 2017-09-20T21:44:24Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351856#M165995 <P>Hi, Fellow Splunkers,</P> <P>Noob question. I would like to seek for help in my search, this is the case: The client gave csv for keywords, the search should be filtered based on the keyword matched, for example, the keywords are "Apple, Banana, Car" the output data should contain 2 or more of the keyword match. What will be my search? Is there an <CODE>if match.count &gt; 1</CODE> condition in splunk? </P> <P>Thanks,</P> Wed, 20 Sep 2017 11:41:53 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351856#M165995 dantimola 2017-09-20T11:41:53Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351857#M165996 <P>can you please put an example of csv here ? and sample output of what you require?</P> Wed, 20 Sep 2017 11:59:19 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351857#M165996 koshyk 2017-09-20T11:59:19Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351858#M165997 <P>Heh. We've encountered this kind of question before. I'm starting to think it's a class assignment somewhere. Here's one version...</P> <P><A href="https://answers.splunk.com/answers/56112/how-can-i-aggregate-some-values-of-a-field-and-divide-a-list-into-2-parts.html">https://answers.splunk.com/answers/56112/how-can-i-aggregate-some-values-of-a-field-and-divide-a-list-into-2-parts.html</A></P> <P>The basic form of the test required is like this...</P> <PRE><CODE>| rex "(?i)(?&lt;matchword&gt;firstword|secondword|thirdword|morewords)" max_match=0 | where mvcount(matchword)&gt;1 </CODE></PRE> <P>...and you can build the rex with code like this if your lookup table is going to be stable...</P> <P><A href="https://answers.splunk.com/answers/501920/how-to-create-a-custom-field-to-match-a-particular.html">https://answers.splunk.com/answers/501920/how-to-create-a-custom-field-to-match-a-particular.html</A></P> <P>... ah, this may be the whole thing, or at last closely related...</P> <P><A href="https://answers.splunk.com/answers/555958/search-based-on-word-match.html">https://answers.splunk.com/answers/555958/search-based-on-word-match.html</A></P> Wed, 20 Sep 2017 21:44:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351858#M165997 DalJeanis 2017-09-20T21:44:24Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351859#M165998 <P>Thank you very much! </P> Thu, 21 Sep 2017 02:58:38 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351859#M165998 dantimola 2017-09-21T02:58:38Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351860#M165999 <P>Hi I would like to seek for help once again, what about this case, the keyword needs to find is "Apple"<BR /> the regex couldn't find the word Apple if it has a comma on its side unless I'll also add the comma in the keyword like <CODE>Apple, | Banana</CODE>:</P> <PRE><CODE>rex "(?i)(?&lt;keyword_found&gt;Apple| Banana...... </CODE></PRE> <P>Apple,</P> Fri, 22 Sep 2017 03:04:55 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351860#M165999 dantimola 2017-09-22T03:04:55Z https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351861#M166000 <P>@dantimola - unless you want to treat "Apple" and "Apple," as two different items, you should leave out the punctuation. The regex will find Apple no matter what is around it... for example, CrabApple or ApplePieComputers would still lead to finding Apple.</P> Mon, 25 Sep 2017 14:03:13 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-search-help-output-data-should-match-2-or-more-of-the/m-p/351861#M166000 DalJeanis 2017-09-25T14:03:13Z