topic Re: compare fields for like match in Splunk Search

compare fields for like match

rg33 — Wed, 25 Jul 2012 15:23:59 GMT

I am looking for methods to compare two fields for a like match.

Specifically, I'd like to match when field1 can be found within field2. Also, I would like the comparison to be support either case sensitive or insensitive options. Fuzzy matching, including degree of similarity or confidence values, would also be helpful.

For example, given two events:

event1  field1="race"  field2="Racecar"
event2  field1="jump"  field2="Rope"
event3  field1="flip"  field2="BackFlip"

Desired result:

  event1  result=hit
  event2  result=miss
  event3  result=hit

Thanks in advance for your suggestions.

-rg

Re: compare fields for like match

dwaddle — Fri, 27 Jul 2012 01:31:14 GMT

Is this both question and answer? If so, you should edit it so the answer appears in an answer response below. That is more clear and you can get karma for a correct answer to your question and a "self-learner" badge for answering your own question 🙂

Re: compare fields for like match

rg33 — Fri, 27 Jul 2012 13:54:34 GMT

One solution:

Case sensitive matching:

search ... | eval results = if(match(field2,field1), "hit", "miss")

Case insensitive matching:

search ... | eval results = if(match(upper(field2),upper(field1)), "hit", "miss")

I hope this helps others. I tried quite a few other ways before discovering this.

Re: compare fields for like match

dfqobvbkmnpi — Tue, 23 May 2017 20:56:37 GMT

looks like you have an extra ) or not enough ( in the case sensitive solution.

Re: compare fields for like match

countermancs — Thu, 26 Oct 2017 17:26:26 GMT

I am trying to match a the values of a 1 field with the values of another field .

When i use this eval I get Error in 'eval' command: The arguments to the 'match' function are invalid.

any ideas?

Re: compare fields for like match

mad4wknds — Tue, 26 Dec 2017 14:00:59 GMT

I downvoted this post because error in 'eval' command: the arguments to the 'if' function are invalid.

Re: compare fields for like match

rg33 — Sun, 25 Mar 2018 05:01:06 GMT

I fixed the error. Sorry for the typo.

Re: compare fields for like match

xploresplunk — Tue, 18 Jun 2019 14:30:16 GMT

How would you get the time for which these two fields matched each other? Further, if it matches several times how would you get the first time they matched (earliest time)?