topic Re: eval searchmatch with OR in Splunk Search

eval searchmatch with OR

DanielFordWA — Fri, 25 Oct 2013 11:09:10 GMT

I am trying to do a search match based on a number of different criteria.

The below does not work.

sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/|*/Product/Product*Overview/Global*|*/Product/Product*Overview/EMEA/*|*/Product/Product*Overview/APAC/|*/Product/Product*Overview/Americas/"),1,null()) | stats count(Product) as Product by date_month

The below does return results but I want to combine Product 1-5 into one column and add the results.

sourcetype="iis-2" | extract auto=true | search cs_username |
eval Product1=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/ |
eval Product2=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/Global*"),1,null()) |
eval Product3=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/EMEA/*"),1,null()) |
eval Product4=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/APAC/*"),1,null()) |
eval Product5=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/Americas/*"),1,null()) |
stats count(Product1) as Product1 count(Product2) as Product2 count(Product3) as Product3 count(Product4) as Product4 count(Product5) as Product5 by date_month

I cant use */Product/Product*Overview/* as there are pages other than the ones above I do not want to include.

I am stuck, hope you can help.

Re: eval searchmatch with OR

lukejadamec — Fri, 25 Oct 2013 11:19:54 GMT

I've never been able to get regex or wildcards to work in an if statement. You're best bet is probably creating a rex that will create a field for each. Once you have them as fields, then you can do pretty much whatever you want.

Re: eval searchmatch with OR

DanielFordWA — Fri, 25 Oct 2013 11:25:45 GMT

Thanks for the reply. I have not done this before, how would I go about doing this?

Re: eval searchmatch with OR

lukejadamec — Mon, 28 Sep 2020 15:04:59 GMT

Something like this:
sourcetype="iis-2" | extract auto=true | search cs_username |rex field=cs_uri_stem ".*(?/Product/Product*Overview/Global)$"
This probably won't work because I don't have the entire value string, but that is basically it to create a field called Global for that stem.
Can you post the full cs_uri_stem values?

Re: eval searchmatch with OR

alacercogitatus — Fri, 25 Oct 2013 11:35:17 GMT

The problem with searchmatch is that is not regex, so separating searches with "|" (or) will not work. You can do it this way:

sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=if(match(cs_uri_stem,"*/Product/Product*Overview/"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/Global*"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/EMEA/*"),1,if(match(cs_uri_stem),"*/Product/Product*Overview/APAC/"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/Americas/"),1,null())))) | stats count(Product) as Product by date_month

Or A Non-nested version:

sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=case(match(cs_uri_stem,"*/Product/Product*Overview/"),1,match(cs_uri_stem,"*/Product/Product*Overview/Global*"),1,match(cs_uri_stem,"*/Product/Product*Overview/EMEA/*"),1,match(cs_uri_stem,"*/Product/Product*Overview/APAC/"),1,match(cs_uri_stem,"*/Product/Product*Overview/Americas/"),1,1=1,null()) | stats count(Product) as Product by date_month

UPDATE
I fixed the syntax on the two searches.

Re: eval searchmatch with OR

lukejadamec — Fri, 25 Oct 2013 14:26:28 GMT

This is the way you would use OR with rex. If your strings are correct, then this should work with the exception of /Product/Product.*Overview/. I left that out because from the looks of it you are specifying the overview/X strings that you want, and you said there are many that you don't want:

 | rex field="cs_uri_stem" ".*(?<PRODUCT>/Product/Product.*Overview/Global.*|/Product/Product.*Overview/EMEA/.*|/Product/Product.*Overview/APAC/.*|/Product/Product.*Overview/Americas/.*)$" | eval Contact=if(match(cs_uri_stem,"/Contacts/ContactProfile/"),1,null())

Re: eval searchmatch with OR

alacercogitatus — Tue, 29 Oct 2013 19:26:39 GMT

Did either of these work for you?

Re: eval searchmatch with OR

DanielFordWA — Wed, 30 Oct 2013 10:38:25 GMT

Hi, Thanks for the response, I am just testing them now.

The first query comes back with...

Error in 'eval' command: The operator at ')' is invalid.

The Non-nested version come back with...

Error in 'eval' command: The operator at ',null())' is invalid.

Re: eval searchmatch with OR

DanielFordWA — Wed, 30 Oct 2013 10:44:49 GMT

This works great, however I do need the....

/Product/Product.*Overview/

It used to be the case that this page was split by geo location and it is now not the case, so to do a query over the year I would need to include the below page but no pages underneath it.

/Product/Product.*Overview/

Re: eval searchmatch with OR

DanielFordWA — Wed, 30 Oct 2013 10:49:44 GMT

I just added /Product/Product.*Overview/. to the query and it works great.

Re: eval searchmatch with OR

DanielFordWA — Mon, 28 Sep 2020 15:08:19 GMT

Is it possible to combine this in a query where I am also using eval on the cs_uri_stem,
eval Contact=if(match(cs_uri_stem,"/Contacts/*Contact*Profile/"),1,null()) |

Re: eval searchmatch with OR

lukejadamec — Wed, 30 Oct 2013 13:27:36 GMT

Yes, if you also want to create the field Contact when the stem = that value only, then you would include that eval statement at the end. I tested it with different stems and it worked. I updated the query.