https://community.splunk.com/t5/Splunk-Search/Trying-to-Find-All-Names-that-Match-a-Name-in-a-Field/m-p/660772#M228139 <P>I get a rough idea about what the OP wants:</P><OL><LI>The lowest level domain in DNS must be that in Identified_Host + "-admin" or "-mgt", and</LI><LI>All upper level domains in DNS and those in Identified_Host are identical.</LI></OL><P>If this is correct, here is a literal interpretation.</P><P>&nbsp;</P><LI-CODE lang="markup">| foreach DNS Identified_Host [rex field=&lt;&lt;FIELD&gt;&gt; "(?&lt;&lt;&lt;FIELD&gt;&gt;_low&gt;[^\.]+).(?&lt;&lt;&lt;FIELD&gt;&gt;_up&gt;.+)"] | where match(DNS_low, "^". Identified_Host_low. "-(admin|mgt)$") AND DNS_up == Identified_Host_up | fields - *_low *_up</LI-CODE><P>&nbsp;</P><P>Pro tip: You can do volunteers here a great favor if you not just describe the data, but also demonstrate what is desired result, then explain the logic between data and desired result.</P><P>Using the data emulation&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/158935">@yeahnah</a>&nbsp;gives, the result from this search is</P><TABLE><TBODY><TR><TD>DNS</TD><TD>Identified_Host</TD></TR><TR><TD>host1-admin.domain.com</TD><TD>host1.domain.com</TD></TR><TR><TD>host1-mgt.domain.com</TD><TD>host1.domain.com</TD></TR></TBODY></TABLE><P>Are these what you expect?</P> Sat, 14 Oct 2023 08:37:06 GMT yuanliu 2023-10-14T08:37:06Z https://community.splunk.com/t5/Splunk-Search/Trying-to-Find-All-Names-that-Match-a-Name-in-a-Field/m-p/660543#M228050 <P>I have a field called DNS whos field values contain the hostname in the lookup. There is also another field called Identified_Host that has similar values. I will show the difference below:<BR /><BR /></P><TABLE border="1" width="45.41876995982281%"><TBODY><TR><TD width="41.85606060606061%" height="25px">DNS</TD><TD width="24.810606060606066%" height="25px">Identified_Host</TD></TR><TR><TD width="41.85606060606061%" height="25px">host1.domain.com</TD><TD width="24.810606060606066%" height="25px">host1.domain.com</TD></TR><TR><TD width="41.85606060606061%" height="25px">host1-admin.domain.com</TD><TD width="24.810606060606066%" height="25px">host1.domain.com</TD></TR><TR><TD width="41.85606060606061%" height="25px">host1-mgt.domain.com</TD><TD width="24.810606060606066%" height="25px">host1.domain.com</TD></TR><TR><TD width="41.85606060606061%" height="25px">host2.domain.com</TD><TD width="24.810606060606066%" height="25px">host2.domain.com</TD></TR><TR><TD width="41.85606060606061%" height="25px">host2-admin.com</TD><TD width="24.810606060606066%" height="25px">host2.domain.com</TD></TR><TR><TD width="41.85606060606061%" height="25px">host2-mgt.admin.com</TD><TD width="24.810606060606066%" height="25px">host2.domain.com</TD></TR><TR><TD width="41.85606060606061%" height="25px">host3.domain.com</TD><TD width="24.810606060606066%" height="25px">host3.domain.com</TD></TR><TR><TD width="41.85606060606061%" height="25px">host3-admin.com</TD><TD width="24.810606060606066%" height="25px">host3.domain.com</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>From this example. it's shown that Indetified_Host is the main name of the host. I need to find out which hosts in Identified_Hosts have values in DNS with the same name but also end with -admin and/or -mgt.&nbsp;</P> Thu, 12 Oct 2023 15:28:22 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-Find-All-Names-that-Match-a-Name-in-a-Field/m-p/660543#M228050 atebysandwich 2023-10-12T15:28:22Z https://community.splunk.com/t5/Splunk-Search/Trying-to-Find-All-Names-that-Match-a-Name-in-a-Field/m-p/660592#M228081 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253260">@atebysandwich</a>&nbsp;<BR /><BR />I'm not 100% sure I understand what you are trying to do but does this run anywhere example help...</P><LI-CODE lang="markup">| makeresults | eval _raw="DNS,Identified_Host host1.domain.com,host1.domain.com host1-admin.domain.com,host1.domain.com host1-mgt.domain.com,host1.domain.com host2.domain.com,host2.domain.com host2-admin.com,host2.domain.com host2-mgt.admin.com,host2.domain.com host3.domain.com,host3.domain.com host3-admin.com,host3.domain.com" | multikv forceheader=1 | table DNS Identified_Host ```^^^ dummy events ^^^``` | where DNS!=Identified_Host | stats values(DNS) BY Identified_Host</LI-CODE><P>&nbsp;</P> Thu, 12 Oct 2023 22:11:07 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-Find-All-Names-that-Match-a-Name-in-a-Field/m-p/660592#M228081 yeahnah 2023-10-12T22:11:07Z https://community.splunk.com/t5/Splunk-Search/Trying-to-Find-All-Names-that-Match-a-Name-in-a-Field/m-p/660772#M228139 <P>I get a rough idea about what the OP wants:</P><OL><LI>The lowest level domain in DNS must be that in Identified_Host + "-admin" or "-mgt", and</LI><LI>All upper level domains in DNS and those in Identified_Host are identical.</LI></OL><P>If this is correct, here is a literal interpretation.</P><P>&nbsp;</P><LI-CODE lang="markup">| foreach DNS Identified_Host [rex field=&lt;&lt;FIELD&gt;&gt; "(?&lt;&lt;&lt;FIELD&gt;&gt;_low&gt;[^\.]+).(?&lt;&lt;&lt;FIELD&gt;&gt;_up&gt;.+)"] | where match(DNS_low, "^". Identified_Host_low. "-(admin|mgt)$") AND DNS_up == Identified_Host_up | fields - *_low *_up</LI-CODE><P>&nbsp;</P><P>Pro tip: You can do volunteers here a great favor if you not just describe the data, but also demonstrate what is desired result, then explain the logic between data and desired result.</P><P>Using the data emulation&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/158935">@yeahnah</a>&nbsp;gives, the result from this search is</P><TABLE><TBODY><TR><TD>DNS</TD><TD>Identified_Host</TD></TR><TR><TD>host1-admin.domain.com</TD><TD>host1.domain.com</TD></TR><TR><TD>host1-mgt.domain.com</TD><TD>host1.domain.com</TD></TR></TBODY></TABLE><P>Are these what you expect?</P> Sat, 14 Oct 2023 08:37:06 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-Find-All-Names-that-Match-a-Name-in-a-Field/m-p/660772#M228139 yuanliu 2023-10-14T08:37:06Z