https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166798#M47470 <P>Try this</P> <PRE><CODE>index=foo sourcetype=bar | eval matched=if(like(hostname,"%".username."%"),"True","False") | table username hostname matched </CODE></PRE> Thu, 18 Jun 2015 18:05:18 GMT lguinn2 2015-06-18T18:05:18Z https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166797#M47469 <P>Hi Splunkers,<BR /> I'm trying to work through a search where I have a base query delivering usernames and some corresponding hostnames. Hostnames are usually in the form of pc-username. There are frequently variants where the user will have pc-username-2 or pc-username-W7 etc. but typically 'username' is in there somewhere.<BR /> What would be a way for me to locate instances where hostname contained the actual username and identify that instance as "True". OR instances where the hostname didn't contain the actual username and identify that instance as "False"?<BR /> IE the first two results would be marked as true and the last one would be marked as false in the results below.</P> <P>index=foo sourcetype=bar | table username,hostname</P> <P>RequestorName MachineName<BR /> gtron pc-gtron<BR /> karthur pc-karthur-w8<BR /> tkhan pc-support-test</P> <P>Thanks for your help!</P> Thu, 18 Jun 2015 17:21:07 GMT https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166797#M47469 lbogle 2015-06-18T17:21:07Z https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166798#M47470 <P>Try this</P> <PRE><CODE>index=foo sourcetype=bar | eval matched=if(like(hostname,"%".username."%"),"True","False") | table username hostname matched </CODE></PRE> Thu, 18 Jun 2015 18:05:18 GMT https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166798#M47470 lguinn2 2015-06-18T18:05:18Z https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166799#M47471 <P>Seriously, every time you pick up one of my questions, I get super excited because I know you almost always take the time to answer and answer correctly! Minus the extra parenthesis, that did it!<BR /> You rock!<BR /> Thanks!</P> Thu, 18 Jun 2015 18:19:09 GMT https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166799#M47471 lbogle 2015-06-18T18:19:09Z https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166800#M47472 <P>This makes me happy ;D Also, @lguinn is a rockstar!</P> Fri, 19 Jun 2015 01:05:51 GMT https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166800#M47472 ppablo 2015-06-19T01:05:51Z https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166801#M47473 <P>+1, upgoats for @lguinn! </P> Fri, 19 Jun 2015 02:16:18 GMT https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166801#M47473 piebob 2015-06-19T02:16:18Z https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166802#M47474 <P>Thanks, guys - and I fixed the typo...</P> Fri, 19 Jun 2015 17:36:59 GMT https://community.splunk.com/t5/Splunk-Search/Find-a-field-value-string-that-is-partially-present-in-another/m-p/166802#M47474 lguinn2 2015-06-19T17:36:59Z