Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Removing string values and then matching field values?

ichesla1111
Path Finder
‎09-12-2022 12:26 PM

Hello, I am trying to match values in two different columns to see if both data sets contain the same serial number for a cellphone part. 

My search:

index=.. my search..... CellNumber="978499-" |dedup CellSerialNumber |table CellNumber CellSerialNumber

|appendcols [search ......CellNumber="978499-ALL" |dedup CellSerial |table CellNumber CellSerial]

| eval result=if(match(CellSerial,"%".CellSerialNumber."%"),"Contained", "Not Contained")


Results:

ichesla1111_1-1663010625013.png

 

Looking deeper into the data I see there is CellSerialNumber values with their last 6 digits (-6digits) equal to the six digit CellSerial number, yet they are given a "Not contained" value.

Why is this??

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:07 PM

I think you should do the following:

write a search - best without an appendcols, join, dedup, etc - where you get events where the field CellSerialNumber  OR CellSerial  has a value. After this, you create a new field like "testnumber" which will be filled with the last digits of CellSerialNumber OR with CellSerial, depending which the event has. Then you can create a chart values(CellSerialNumber) count(CellSerialNumber) values(CellSerial) count(CellSerial) by testnumber, so you'll get your needed information aggregated. Then you can check if both counters are greater than 1 and if so it is containing. You could also do a fillnull and search for 0 and say it es not containing 😉

View solution in original post

Reply
Solved! Jump to solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:13 PM

if they are from different indexes (I suppose this is ment by different data sets?) you can also do something like "index=a OR index=b", so you'll get events out of both indexes

0 Karma
Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:29 PM

Perfect! I can do that, but each cell serial number starts with "978499-5-****" where the "978499-5- is constant for every CellSerialNumber where the **** is the unique identifier which would be equal to the Cell serial value if they are in both data sets. 

I am trying the trim command:  | eval CellserialNumber=ltrim(CellserialNumber," 978499-5-"), yet when doing this, it cut's of some of the numerical values when it returns the answer. Would there be a way to do this with the rex command?

0 Karma
Reply
Solved! Jump to solution
Solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:07 PM

I think you should do the following:

write a search - best without an appendcols, join, dedup, etc - where you get events where the field CellSerialNumber  OR CellSerial  has a value. After this, you create a new field like "testnumber" which will be filled with the last digits of CellSerialNumber OR with CellSerial, depending which the event has. Then you can create a chart values(CellSerialNumber) count(CellSerialNumber) values(CellSerial) count(CellSerial) by testnumber, so you'll get your needed information aggregated. Then you can check if both counters are greater than 1 and if so it is containing. You could also do a fillnull and search for 0 and say it es not containing 😉

Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:28 PM

I am trying your appraoch for the values and stats column chart, but how would I use rex to cutt of the first part of the CellserialNumber? Right now each cell serial number starts with "978499-5-****" where the "978499-5- is constant for every CellserialNumber where the **** is the unique identifier which would be equal to the Cell serial value if they are in both data sets. 

I am trying the trim command:  | eval CellserialNumber=ltrim(CellserialNumber," 978499-5-"), yet when doing this, it cut's of some of the numerical values when it returns the answer. Would there be a way to do this with the rex command?

0 Karma
Reply
Solved! Jump to solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:32 PM

| rex field=CellserialNumber "978499-5-(?<testnumber>.*)"

Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:42 PM

Thank you!!!!

0 Karma
Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:11 PM

Thank you for getting back to me! Unfortunately, I have to do an appendcols command for the CellSerialNumber and CellSerial field values are from different data sets. 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...