All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Match two field values utilizing a wildcard

jhampton_3rd
Explorer
‎11-24-2020 05:50 AM

Has anyone had to match two fields values using a wildcard in one of the fields values. 

My scenario, I have a host field that looks like this host=server1 , I have a dest field like this, dest=server1.www.me & dest=server1.xxx.com & dest=comp1.  I'm trying to find all instances where the host field with a wildcard matches the dest field.  This is the query I have so far without the filter

index="winevents" host=* | stats dc(dest) as total values(dest) count by host | search total > 1

results look like this:

host            total       values(dest)
server1          3          server1.www.me
                                      server1.xxx.com
                                      comp1

How can I filter only where the host field somewhat matches the dest field.  So results will look like this excluding the 3rd dest name of comp1.

host            total       values(dest)
server1          2          server1.www.me
                                      server1.xxx.com

I tried this but get no results

index="winevents" host=*| eval host=host + "*" | search host=dest | stats dc(dest) as total values(dest) count by host | search total > 1

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2020 06:28 AM 
index="winevents" host=*
| where match(dest,host) 
| stats dc(dest) as total values(dest) count by host 
| search total > 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2020 06:28 AM 
index="winevents" host=*
| where match(dest,host) 
| stats dc(dest) as total values(dest) count by host 
| search total > 1
0 Karma
Reply
Solved! Jump to solution

jhampton_3rd
Explorer
‎11-24-2020 06:42 AM

Thanks.  Worked like a charm!!!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...