topic Re: How to match partial values of field a with partial values of field b ? in Splunk Search

How to match partial values of field a with partial values of field b ?

innoce — Wed, 30 Aug 2023 05:26:57 GMT

Hi, I want to match partial values of field a with partial values of field b.. I tried with match/like but no luck..

field a
AA\ABC$
BB\DCE$

field b
A=ABC,B=Domain,C=AB,D=XXX,E=NET
A=DCE,B=Domain,C=AB,D=XXX,E=NET

Now my results should return

field a = field b
ABC = ABC
DCE = DCE

Could someone pls help me on this?

Re: How to match partial values of field a with partial values of field b ?

bowesmana — Wed, 30 Aug 2023 05:59:50 GMT

Are you looking for any length partial match of field a with b?

i.e. if field a is AA\ABC$

and field B is 123456789A987654321

do you want a match because it contains A? which is a partial match?

Re: How to match partial values of field a with partial values of field b ?

innoce — Wed, 30 Aug 2023 07:04:47 GMT

@bowesmana , nope.. let me share the exact example values

field a = AAAAA\ABCDE-SS410009$

field b = A=AAAAA\ABCDE-SS410009,B=Domain,C=AB,D=XXX,E=NET

Now I want to match
field a= AAAAA\ABCDE-SS410009
field b= AAAAA\ABCDE-SS410009
like this

Re: How to match partial values of field a with partial values of field b ?

gcusello — Wed, 30 Aug 2023 08:30:11 GMT

Hi @innoce ,

as @bowesmana said, you have to extract the second value from the second field.

Are you sure about the position of the second value in the second field?

if it's alway after "A=" and always in the beginning of the field, you could use the following regex:

<your_search> | rex field=b "^A\=(?<A>[^,]*)" | where a=A

that you can test at https://regex101.com/r/9hePOP/1 othrwise you have to modify the regex but using the same approach.

Ciao.

Giuseppe

Re: How to match partial values of field a with partial values of field b ?

bowesmana — Wed, 30 Aug 2023 22:59:20 GMT

Sorry, still not sure I get it, you say partial matches of both A and B, so for your second example what are the rules there?

field a = AAAAA\ABCDE-SS410009$
field b = A=AAAAA\ABCDE-SS410009,B=Domain,C=AB,D=XXX,E=NET

Now I want to match
field a= AAAAA\ABCDE-SS410009
field b= AAAAA\ABCDE-SS410009
like this

In the above, you show that all characters up to and excluding the final $ sign are found in B, so you appear to be showing the longest match of A found in B.

So, if A had

AAAAA\ABCDE-PP921234$

would you expect to see AAAAA\ABCDE as a match result

and if A had

BBBBB\ABCDE-SS410009$

would you expect to see ABCDE-SS410009 as a match

Also is the A= part in B related to field 'a'?

Re: How to match partial values of field a with partial values of field b ?

yuanliu — Thu, 31 Aug 2023 06:53:31 GMT

Looks like there is also a trailing "$" in field a.

<your_search> | rex field=b "^A\=(?<A>[^,]*)" | where a=A."$"

Something like that.

Re: How to match partial values of field a with partial values of field b ?

innoce — Thu, 31 Aug 2023 14:57:47 GMT

@gcusello , Thanks for the headsup.. as said, I modified the regex..

| rex "fieldb=(?P<fieldb>\w*[\-|\_]\w*)\," | rex "fielda\:\s+(?P<fielda_X>\w*\-\w*)\$" and used the where condition to find matches | where 'fielda_X'='fieldb'

Its working now as expected..

Re: How to match partial values of field a with partial values of field b ?

gcusello — Thu, 31 Aug 2023 21:28:11 GMT

Hi @innoce,

You don't need quotes id in the field names there isn't any space or special char.

Anyway, good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Re: How to match partial values of field a with partial values of field b ?

gcusello — Fri, 01 Sep 2023 16:56:09 GMT

HI @innoce ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉