topic Re: Matching several strings in a field in Splunk Search

Matching several strings in a field

gelspas — Thu, 16 Sep 2021 14:12:19 GMT

I have a field (FIELD1) that may contain one of several strings. These strings may appear in different locations within FIELD1. I would like to select all records where FIELD1 contains any of these strings.

Example of 4 strings: "ABC(Z" "DEF(Z" "GHIJK (Z" "LMNOP (Z"

What is an efficient method for selecting any records that contain any one of these strings in any location within FIELD1?

Re: Matching several strings in a field

gcusello — Thu, 16 Sep 2021 14:21:18 GMT

Hi @gelspas,

if you have a limited number of strings, you could use a regex like this:

| rex field=FIELD1 "(?<your_string>(\"ABC\(Z\")|(\"DEF\(Z\")|(\"GHIJK \(Z\")|(\"LMNOP \(Z\"))"

putting much attention when you write the strings to search.

In this way, when one of the strings is present, you have that string in the field your_string. otherwise the field is empty.

If instead you have many strings, you could put them in a lookup, called e.g. "patterns.csv", with one field called "pattern" and run a search like this:

index=your-index [ | inputlookup patterns.csv | rename pattern AS query | fields query ] | ...

in this way you use the strings in the lookup to filter your events.

Ciao.

Giuseppe

Re: Matching several strings in a field

gelspas — Thu, 16 Sep 2021 15:38:27 GMT

Thank you but I do not think this rex accomplishes what I need or perhaps I am reading it wrong? My regex knowledge is not strong.

I only wish to keep records where FIELD1 contains one of the 4 strings.

In the example below only the first two records should be kept because they match on ABC(Z and GHIJK(Z. The third record would not match.

Examples of FIELD1:

Record 1: 09162021 CMDONE ABC(Z123456) MORE TEXT

Record 2: 09152021 CMD TWO GHIJK(ZABC123) MORE TEXT

Record 3: 09162021 CMD3 LMNO(A1234BD) MORE TEXT

Re: Matching several strings in a field

gcusello — Fri, 17 Sep 2021 06:46:25 GMT

Hi @gelspas,

if you're not interested to know which string is found, you could use the regex command to search those strings:

| regex FIELD1="(\"ABC\(Z\")|(\"DEF\(Z\")|(\"GHIJK \(Z\")|(\"LMNOP \(Z\")"

My hint is to use the lookup solution so you'll have a dynamic solution instead to have the strings to search in the code.

Ciao.

Giuseppe

Re: Matching several strings in a field

gelspas — Fri, 17 Sep 2021 10:19:29 GMT

This worked. I just had to remove the quotes around the strings since I was not looking for them.

regex FIELD1="(ABC\(Z) | (DEF\(Z) | (GHIJK\(Z) | (LMNOP\(Z)"

Thank you