Solved: Re: Match two field values utilizing a wildcard

jhampton_3rd · ‎11-24-2020

Has anyone had to match two fields values using a wildcard in one of the fields values.

My scenario, I have a host field that looks like this host=server1 , I have a dest field like this, dest=server1.www.me & dest=server1.xxx.com & dest=comp1. I'm trying to find all instances where the host field with a wildcard matches the dest field. This is the query I have so far without the filter

index="winevents" host=* | stats dc(dest) as total values(dest) count by host | search total > 1

results look like this:

host            total       values(dest)
server1          3          server1.www.me
  server1.xxx.com
comp1

How can I filter only where the host field somewhat matches the dest field. So results will look like this excluding the 3rd dest name of comp1.

host            total       values(dest)
server1          2          server1.www.me
  server1.xxx.com

I tried this but get no results

index="winevents" host=*| eval host=host + "*" | search host=dest | stats dc(dest) as total values(dest) count by host | search total > 1

ITWhisperer · ‎11-24-2020

index="winevents" host=*
| where match(dest,host) 
| stats dc(dest) as total values(dest) count by host 
| search total > 1

View solution in original post

ITWhisperer · ‎11-24-2020

index="winevents" host=*
| where match(dest,host) 
| stats dc(dest) as total values(dest) count by host 
| search total > 1

jhampton_3rd · ‎11-24-2020

Thanks. Worked like a charm!!!

Match two field values utilizing a wildcard

search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!