topic Re: How to compare 2 values from 1 field in different events and use match or like commands in Splunk Search

How to compare 2 values from 1 field in different events and use match or like commands

rahul_jasrotia — Mon, 21 Aug 2017 07:27:34 GMT

Hi Guys,

I have a field say hostname with some values like AAB89786 and AAB89786W in different events. Basically they're the same values but with an extra character, so it can be anything and not just W like mentioned above.
Now i want to compare these 2 values and prevent them from going to the next search as they're the same and not 2 different hostnames. Any clues on how can we do this ?

Re: How to compare 2 values from 1 field in different events and use match or like commands

koshyk — Mon, 21 Aug 2017 08:33:12 GMT

any chance of putting some sample events?

Re: How to compare 2 values from 1 field in different events and use match or like commands

rahul_jasrotia — Mon, 21 Aug 2017 08:59:48 GMT

Please find the sample below, have masked the ip and mac address .
Now the hostnames under () i.e AAB89786W and AAB89786 are the same but Splunk is treating them differently and I need to solve this thing.

<30>Jul 19 08:38:34 xxxx057-3dc-xxxxx.net.xxxx.com dhcpd[22174]: DHCPACK on 1d.xx.33.181 to e4:a4:71:24:xx:6d (AAB89786W ) via eth2 relay 10.dd.dd.pp lease-duration 43200 (RENEW) uid xx:00:xx:5d:21:1f:xx
<30>Jul 19 08:22:06 xxxx059-3dc-xxxxxx.net.xxxx.com dhcpd[11241]: DHCPACK on 1d.xx.xx.231 to 08:xx:41:e6:cb:xx (Treo-xxx) via eth2 relay 10.cc.mm.1 lease-duration 432000 (RENEW) uid 01:08:xx:41:e6:xx
<30>Jul 19 08:15:17 nl00059-3dc-nsdhcp02.net.xxxx.com dhcpd[11241]: DHCPACK on 1d.56.xx.xxx to 08:6d:xx:e6:xx(idb25) via eth2 relay 1x.56.xx.1 lease-duration 3600 (RENEW) uid zz:08:6d:xx:e6:cb:a1
<30>Jul 19 08:02:28 nl00059-3dc-nsdhcp02.net.xxxx.com dhcpd[11241]: DHCPACK on 10.29.33.3 to e4:xx:71:xx:b4:6d (AAB89786W) via eth2 relay 1x.29.xx.12 lease-duration 3600 uid 01:xx:a4:xx:24:xx:6d

Re: How to compare 2 values from 1 field in different events and use match or like commands

HiroshiSatoh — Mon, 21 Aug 2017 09:27:28 GMT

If you know the format, you can convert hostname.

EX.) ---Convert with sourcetype
(your search)
|eval hostname=case(sourcetype == "A",substr(hostname,1,10),sourcetype == "B",substr(hostname,2,10),hostname)
|stats count by hostname

Re: How to compare 2 values from 1 field in different events and use match or like commands

rahul_jasrotia — Mon, 21 Aug 2017 11:51:22 GMT

the sample hasn't come out well, request you to please treat as a new event whenever you find a timestamp.

Re: How to compare 2 values from 1 field in different events and use match or like commands

niketn — Mon, 21 Aug 2017 12:05:04 GMT

@rahul_jasrotia, you can post the Events using the code button here i.e. 101010 to make sure data does not get escaped.

Is the length for field value constant? Is there only one additional character in the other event or can they be more?

Re: How to compare 2 values from 1 field in different events and use match or like commands

rahul_jasrotia — Mon, 21 Aug 2017 13:39:23 GMT

1.No the length is not constant
2. Yes only 1 character is appended in the end.

Re: How to compare 2 values from 1 field in different events and use match or like commands

rahul_jasrotia — Mon, 21 Aug 2017 13:59:35 GMT

The sourcetype is the same and please take at the samples above and provide your inputs.

Re: How to compare 2 values from 1 field in different events and use match or like commands

HiroshiSatoh — Mon, 21 Aug 2017 14:34:44 GMT

I do not know the condition in this sample.
Please fill in XXXX yourself.

(your search)
|eval hostname=if(XXXX,substr(hostname,1,len(hostname)-1),hostname)

Re: How to compare 2 values from 1 field in different events and use match or like commands

niketn — Mon, 21 Aug 2017 17:05:23 GMT

I see the following 4 events in your example, if I filter each event with timestamp. However, two out of the 4 events provided have the host field your are interested in, and both are AAB89786W. As per your question they should be AAB89786 and AAB89786W. Are your sure you have not missed any other required event?

Jul 19 08:38:34 xxxx057-3dc-xxxxx.net.xxxx.com dhcpd[22174]: DHCPACK on 1d.xx.33.181 to e4:a4:71:24:xx:6d (AAB89786W ) via eth2 relay 10.dd.dd.pp lease-duration 43200 (RENEW) uid xx:00:xx:5d:21:1f:xx 

Jul 19 08:22:06 xxxx059-3dc-xxxxxx.net.xxxx.com dhcpd[11241]: DHCPACK on 1d.xx.xx.231 to 08:xx:41:e6:cb:xx (Treo-xxx) via eth2 relay 10.cc.mm.1 lease-duration 432000 (RENEW) uid 01:08:xx:41:e6:xx 

Jul 19 08:15:17 nl00059-3dc-nsdhcp02.net.xxxx.com dhcpd[11241]: DHCPACK on 1d.56.xx.xxx to 08:6d:xx:e6:xx(idb25) via eth2 relay 1x.56.xx.1 lease-duration 3600 (RENEW) uid zz:08:6d:xx:e6:cb:a1 

Jul 19 08:02:28 nl00059-3dc-nsdhcp02.net.xxxx.com dhcpd[11241]: DHCPACK on 10.29.33.3 to e4:xx:71:xx:b4:6d (AAB89786W) via eth2 relay 1x.29.xx.12 lease-duration 3600 uid 01:xx:a4:xx:24:xx:6d

It would be easier for us to assist if you just provide the two events where AAB89786W and AAB89786 are present. So that we do not confuse them with unwanted sample.
Kindly make sure you post events using the code button (101010) on Splunk Answers.