How to pass argument (dynamically) to searchmatch ...

Testeur971 · ‎04-17-2020

Hi,

I wonder test different pattern matching (format spl) dynamically with a field value without use the command "map"

example:

| makeresults | eval _raw = "foo var" | eval mymatch = "var OR fo*" | eval test = if(searchmatch($mymatch$),"yes","no")

I test with macro but it doesn't work.

manjunathmeti · ‎04-18-2020

Argument for searchmatch is a string not a field. You need to put search string "var OR fo*" in searchmatch function.

| makeresults | eval _raw = "foo var" | eval test1 = if(searchmatch("var OR fo*"), "yes", "no"), test2 = if(searchmatch("var AND foo"), "yes", "no")

If you want to pass search string as a parameter then save your search as a saved search (Report) and use savedsearch command to call saved search with parameter:

<your search> | eval test = if(searchmatch("$search_string$"), "yes", "no")

Save this search as saved_search_name and call it using savedsearch command:

 | savedsearch saved_search_name search_string="var OR fo*"

Testeur971 · ‎04-18-2020

thanks!

But, your solution can't work with multiples patterns

My patterns are in a lookup, and for every patterns, i've specifics values in others fields.

The goal is to compare a lot of _raw with multiples patterns in my lookup for monitoring log.

does it exist a library in python for use function searchmatch ?, i can develop a custom command with it that will take parameter in searchmatch function because is not possible dynamically with splunk core without use map command.

my wish:

| makeresults  | eval _raw="foo bar var"| eval different_pattern ="var OR test,foo AND bar,bar" | makemv different_pattern delim="," | mvexpand different_pattern_spl_format | eval result =if(searchmatch($different_pattern_spl_format_value$),"yes","no")

to4kawa · ‎04-18-2020

The goal is to compare a lot of _raw with multiples patterns in my lookup for monitoring log.
use lookup(wildcard)

https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

But why do you need to search the log itself?
it is better to extract like msg field and compare these.

to4kawa · ‎04-17-2020

searchmatch(X)  Use this function to return TRUE if the search string (X) matches the event.

reference:https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

sample solution:

| makeresults | eval _raw="foo bar"
| eval test = if(searchmatch([|makeresults |eval query="\"bar\""|fields - _*]),"yes","no")
|appendpipe[
| eval test = if(searchmatch([|makeresults |eval query="\"foo\""|fields - _*]),"yes","no")
|appendpipe[
| eval test = if(searchmatch([|makeresults |eval query="\"foo OR bar\""|fields - _*]),"yes","no")]]

Sorry, I have a mistake.

Inside searchmatch, it can't use boolean expression like OR.
check my latest comment and try lookup(wildcard)

Testeur971 · ‎04-18-2020

https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

But why do you need to search the log itself?
it is better to extract like msg field and compare these

@to4kawa

Because in the lookup, the pattern is in splunk format with "OR" "NOT" "AND" (operator) not only wildcard like this "*"
i've the index, the sourcetype and the pattern in splunk format and others fields , i put a "join" in my spl on index and sourcetype for every eventlog and after i want test dynamically all patterns for fill every fields for ITSI app.

to4kawa · ‎04-18-2020

foo.csv

sample
A OR b
*foo
bar

sample query:

index=yours [ | inputlookup foo.csv | table sample | return 1000 $sample]

you can do it like that.

Testeur971 · ‎04-19-2020

@to4kawa

 index=yours [ | inputlookup foo.csv | table sample | return 1000 $sample]

i already do that in the root search . But after in the same lookup , i've a description , severity, order, etc..
how i can connect the matches events with the spl pattern in the lookup for output the other fields without use map command ?

to4kawa · ‎04-19-2020

index=sample
| lookup foo.csv host OUTPUT description
| lookup foo.csv user OUTPUT severity
| lookup foo.csv bar OUTPUT baz

this is sample. lookup can use it again and again.
inputlookup is same.

Testeur971 · ‎04-19-2020

@to4kawa

The ID is the pattern in SPL, it's for that i need a dynamically searchmatch that can indicate with what pattern spl the event _raw match for connect after with the lookup.

but i can't pass to the function searchmatch a field value.

to4kawa · ‎04-19-2020

I see what you want. but I don't know the details ,logs , lookups.
I can't help and make SPL without these.

You don't provide these, so I think you'll write the SPL yourself.

Testeur971 · ‎04-18-2020

@to4kawa
Thanks for the help! But it's doesn't work

Test the spl below:

| makeresults | eval _raw="foo bar"| eval mymatch = "nomatch1 OR nomatch*" 
 | foreach mymatch [ eval test = if(searchmatch("<<MATCHSTR>>"),"yes","no")]

The result is too "yes", because it's blank. My version 7.3.0

to4kawa · ‎04-18-2020

my version 8.0.1

Testeur971 · ‎04-18-2020

it doesn't work, because it don't take the field value in the function searchmatch , it's a empty string.

In search.log:
04-18-2020 13:21:02.396 INFO ForeachProcessor - search for field 'mymatch' = eval test = if(searchmatch(""),"yes","no")

How to pass argument (dynamically) to searchmatch function without use map command

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!