topic Re: How to check if a field contains a value of another field? in Splunk Search

How to check if a field contains a value of another field?

jpolcari — Fri, 08 Jul 2016 20:42:07 GMT

I would like to take the value of a field and see if it is CONTAINED within another field (not exact match). The text is not necessarily always in the beginning. Some examples of what I am trying to match:

Ex: field1=text field2=text@domain
Ex2: field1=text field2=sometext

I'm attempting to search Windows event 4648 for non-matching usernames. We have users with admin accounts that are very close to their unprivileged account names but with a couple characters added.

Re: How to check if a field contains a value of another field?

somesoni2 — Fri, 08 Jul 2016 20:56:21 GMT

You can do something this

your search | eval result=if(like(field2,"%".field1."%"),"Contained","Not Contained")

Re: How to check if a field contains a value of another field?

Raschko — Fri, 08 Jul 2016 21:00:55 GMT

Try this:

| eval match=if(match(text,text2),1,0)
| where match=1

As the match command uses a RegEx, you can match one field as RegEx against another field.

From eval docs:

match(SUBJECT, "REGEX")

Re: How to check if a field contains a value of another field?

woodcock — Fri, 08 Jul 2016 21:46:26 GMT

Like this:

| where match(field2,field1)

Or this:

... | rename _raw AS raw
| map search="|noop|stats count as contained|eval field2=\"$field2$\" | eval contained=if(like(field2, \"%$field1$%\"), \"$raw$\", null())"

Re: How to check if a field contains a value of another field?

jpolcari — Mon, 11 Jul 2016 13:52:16 GMT

thanks very much! I was able to get it working with this.

Re: How to check if a field contains a value of another field?

davidcraven02 — Tue, 29 Sep 2020 17:28:51 GMT

I tried to apply this logic as I want to check if the values from con_splunkUL exists within con_UL, but for me it seems its checking for a direct match between both fields rather than checking for a match within the whole data set.

| eval MonitoringStatus = if(like(con_splunkUL,"%".con_UL."%"), "Monitored", "Not Monitored")

Re: How to check if a field contains a value of another field?

Sp3ctre11 — Thu, 11 Oct 2018 05:18:41 GMT

Did you figure this out, i'm having the same issues

Re: How to check if a field contains a value of another field?

davidsplunk123 — Tue, 29 Sep 2020 21:32:43 GMT

Yes I did, I used the below.

| eval MonitoringStatus = if(like(upper(con_UL),"%".upper(con_splunkUL)."%"), "Monitored", "Not Monitored")

Also here is another example I used within the same search

| eval Action=if ((MonitoringStatus="Not Monitored")AND(like(Path,"%Hosting%")),"Action Required","No Action Required")

Re: How to check if a field contains a value of another field?

Sp3ctre11 — Thu, 11 Oct 2018 10:50:51 GMT

Regarding this though how would you go about it if you have an index with values...

and you want to check it against a .csv which contains prefixes...

I've currently got a question posted on splunkanswers. https://answers.splunk.com/answers/692085/how-to-match-two-columns-based-on-prefix-numbersle.html#answer-692089

Re: How to check if a field contains a value of another field?

ashikuma — Fri, 12 Oct 2018 12:07:14 GMT

I have same type of issue there , I want to look into two tables to match fields value if any match found then ignore if no match found then create separate table too display unique values only which comes out of two tables

Here are my tables, Example: If search pick value (353649273) from table A then it should search for match with all values in table B , not look like only one value corresponding to that field.

OrderNumberFailureA OrderNumberFailureB
353649273 353648649
353649184 353648566
353649091 353616829
353649033 353648649
353648797

353648680

353648745

353648730

353638941

353649331

340568517

353638941

353648361

349156251

353649335

353649091

353649240

353649143

353649160

353649092

353649312

353648984

353649091

353649163

353649240

353649092

353649143

353649095

353649008

353648984

353649008

353648794

353648856

353649273

353648796

353648754

353648620

353648594

353648794

353648649

353648685

353648651

353638941

353648610

353649273

353649241

353649163

353616829

353649163

353648754

353649347

353649335

353648748

353648661

353648649

353648754

353648649

353648649

353648984

353648994

353648802

353649263

353648649

353649347

353649240

353649178

353616829

353649092

353648984

353648754

353648768

353648749

353649387

353648680

353648649

353648566

Re: How to check if a field contains a value of another field?

ashikuma — Sat, 13 Oct 2018 11:46:34 GMT

Did anyone get a chance to look into this as well

Re: How to check if a field contains a value of another field?

Sp3ctre11 — Sun, 14 Oct 2018 22:21:12 GMT

Its complicated, still didnt get this quite working..

Re: How to check if a field contains a value of another field?

ashikuma — Mon, 15 Oct 2018 06:19:42 GMT

I tried using foreach loop but that didn't work. If we think about logic then it says we have to pick value from table A and search for each value in next table(B) which logically should be possible using foreach look to iterate through each value.

Also if this is not possible then can you query like to get count of unique values by appending column 2 into column 1 then check for count more than 1.

But in this case we have to dedup column 1 & 2 before we append them to avoid any discrepancy. Waiting for your comments....

Re: How to check if a field contains a value of another field?

Sp3ctre11 — Mon, 15 Oct 2018 21:50:03 GMT

Even if we append and dedup the results are still different because they are prefixes... the CIDR command can work for only numerical values being an IP address, but for this instance we are using Hex decimals. So at this stage, it is not possible. We tried using the foreach but because we have 30,000 different prefixes... our subsearches were huge and max out..

Re: How to check if a field contains a value of another field?

ashikuma — Tue, 16 Oct 2018 09:31:28 GMT

can we store both search queries results into two lookup tables instead of creating normal table, after that can we compare for unique values.

Just a ask

Re: How to check if a field contains a value of another field?

kslemster — Fri, 23 Apr 2021 18:35:18 GMT

I am using this and it works, but how can I have it ignore the case of the compared contained string. Make it case insensitive?