Splunk Search

Splunk search help -- output data should match 2 or more of the keywords

dantimola
Communicator

Hi, Fellow Splunkers,

Noob question. I would like to seek for help in my search, this is the case: The client gave csv for keywords, the search should be filtered based on the keyword matched, for example, the keywords are "Apple, Banana, Car" the output data should contain 2 or more of the keyword match. What will be my search? Is there an if match.count > 1 condition in splunk?

Thanks,

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Heh. We've encountered this kind of question before. I'm starting to think it's a class assignment somewhere. Here's one version...

https://answers.splunk.com/answers/56112/how-can-i-aggregate-some-values-of-a-field-and-divide-a-lis...

The basic form of the test required is like this...

| rex "(?i)(?<matchword>firstword|secondword|thirdword|morewords)" max_match=0
| where mvcount(matchword)>1

...and you can build the rex with code like this if your lookup table is going to be stable...

https://answers.splunk.com/answers/501920/how-to-create-a-custom-field-to-match-a-particular.html

... ah, this may be the whole thing, or at last closely related...

https://answers.splunk.com/answers/555958/search-based-on-word-match.html

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

Heh. We've encountered this kind of question before. I'm starting to think it's a class assignment somewhere. Here's one version...

https://answers.splunk.com/answers/56112/how-can-i-aggregate-some-values-of-a-field-and-divide-a-lis...

The basic form of the test required is like this...

| rex "(?i)(?<matchword>firstword|secondword|thirdword|morewords)" max_match=0
| where mvcount(matchword)>1

...and you can build the rex with code like this if your lookup table is going to be stable...

https://answers.splunk.com/answers/501920/how-to-create-a-custom-field-to-match-a-particular.html

... ah, this may be the whole thing, or at last closely related...

https://answers.splunk.com/answers/555958/search-based-on-word-match.html

dantimola
Communicator

Hi I would like to seek for help once again, what about this case, the keyword needs to find is "Apple"
the regex couldn't find the word Apple if it has a comma on its side unless I'll also add the comma in the keyword like Apple, | Banana:

rex "(?i)(?<keyword_found>Apple| Banana......

Apple,

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@dantimola - unless you want to treat "Apple" and "Apple," as two different items, you should leave out the punctuation. The regex will find Apple no matter what is around it... for example, CrabApple or ApplePieComputers would still lead to finding Apple.

0 Karma

dantimola
Communicator

Thank you very much!

koshyk
Super Champion

can you please put an example of csv here ? and sample output of what you require?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...