topic Re: How Can I Create a Search To Compare 2 Fields with LIKE? in Splunk Search

How Can I Create a Search To Compare 2 Fields with LIKE?

onur — Sat, 06 Nov 2021 12:40:18 GMT

Hi Everyone,

I need to compare 2 fields with like command but I cant do it even if I tried many solutions.

For Example;

event1  field1="raceCar"  field2="car"
event2  field1="trying"  field2="hello"
event3  field1="splunk"  field2="helloSplunkEnterprise"

Desired result:

  event1  result=hit
  event2  result=miss
  event3  result=hit

I tried | eval results= if (match()) but didnt work

Is there any suggestion about this SPL?

Thanks alot for your helps

Re: How Can I Create a Search To Compare 2 Fields with LIKE?

ITWhisperer — Sat, 06 Nov 2021 13:52:34 GMT

| eval result=if(like(lower(field1),"%".lower(field2)."%") OR like(lower(field2),"%".lower(field1)."%"),"hit","miss")

Re: How Can I Create a Search To Compare 2 Fields with LIKE?

onur — Sat, 06 Nov 2021 14:03:17 GMT

Hi,

Thanks for your reply. When I tried this search, the problem is not solved. I am leaving 2 field below. These fields dont match.

Source1 = 536456786786_454AS6DASD-98SAD-787RET-98SAD-GASDA54656

Source2 = remote_splunk_.com_536456786786_454AS6DASD-98SAD-787RET-98SAD-GASDA54656

Source1 = remote_splunk_.com_536456786786_454AS6DASD-98SAD-787RET-98SAD-GASDA54656

Source2 = 536456786786_454AS6DASD-98SAD-787RET-98SAD-GASDA54656

Re: How Can I Create a Search To Compare 2 Fields with LIKE?

ITWhisperer — Sat, 06 Nov 2021 14:17:15 GMT

Here is a runanywhere example of the comparison working

| makeresults | eval field1="536456786786_454AS6DASD-98SAD-787RET-98SAD-GASDA54656" | eval field2="remote_splunk_.com_536456786786_454AS6DASD-98SAD-787RET-98SAD-GASDA54656" | eval result=if(like(lower(field1),"%".lower(field2)."%") OR like(lower(field2),"%".lower(field1)."%"),"hit","miss")

If this is not your situation, you should expand on what exactly you are trying to do, perhaps with more realistic examples.

Re: How Can I Create a Search To Compare 2 Fields with LIKE?

onur — Sat, 06 Nov 2021 19:18:13 GMT

Actually, ı am trying to combine 2 searches. The first search is returning a search id in _audit index and the secone one is again returning a search id from _introspection index. In this way, I want to 2 combine these 2 searches and match the search id's. The main idea to create this search is that we want to find the total memory or cpu usage per ad hoc search.

Re: How Can I Create a Search To Compare 2 Fields with LIKE?

ITWhisperer — Sun, 07 Nov 2021 09:21:07 GMT

Technically, the problem you first described is solved - you have now described a different problem. You are trying to "join" events where the joining field values only partially match.

Given your example, can you extract just the string you want to match on?

For example, if you can assume that the id is made up of numbers, uppercase letters, minus and underscore, and sometimes preceded by an underscore, you could try something like this

| makeresults | eval field1=split("536456786786_454AS6DASD-98SAD-787RET-98SAD-GASDA54656|remote_splunk_.com_536456786786_454AS6DASD-98SAD-787RET-98SAD-GASDA54656","|") | mvexpand field1 | streamstats count as source | eval name="datafrom".source | eval {name}=random()%10 | fields - name | rex field=field1 max_match=0 "_?(?<id>[0-9A-Z_-]+)" | eval id=mvindex(id,-1) | stats values(*) as * by id