Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Removing string values and then matching field values?

ichesla1111
Path Finder
‎09-12-2022 12:26 PM

Hello, I am trying to match values in two different columns to see if both data sets contain the same serial number for a cellphone part. 

My search:

index=.. my search..... CellNumber="978499-" |dedup CellSerialNumber |table CellNumber CellSerialNumber

|appendcols [search ......CellNumber="978499-ALL" |dedup CellSerial |table CellNumber CellSerial]

| eval result=if(match(CellSerial,"%".CellSerialNumber."%"),"Contained", "Not Contained")


Results:

ichesla1111_1-1663010625013.png

 

Looking deeper into the data I see there is CellSerialNumber values with their last 6 digits (-6digits) equal to the six digit CellSerial number, yet they are given a "Not contained" value.

Why is this??

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:07 PM

I think you should do the following:

write a search - best without an appendcols, join, dedup, etc - where you get events where the field CellSerialNumber  OR CellSerial  has a value. After this, you create a new field like "testnumber" which will be filled with the last digits of CellSerialNumber OR with CellSerial, depending which the event has. Then you can create a chart values(CellSerialNumber) count(CellSerialNumber) values(CellSerial) count(CellSerial) by testnumber, so you'll get your needed information aggregated. Then you can check if both counters are greater than 1 and if so it is containing. You could also do a fillnull and search for 0 and say it es not containing 😉

View solution in original post

Reply
Solved! Jump to solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:13 PM

if they are from different indexes (I suppose this is ment by different data sets?) you can also do something like "index=a OR index=b", so you'll get events out of both indexes

0 Karma
Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:29 PM

Perfect! I can do that, but each cell serial number starts with "978499-5-****" where the "978499-5- is constant for every CellSerialNumber where the **** is the unique identifier which would be equal to the Cell serial value if they are in both data sets. 

I am trying the trim command:  | eval CellserialNumber=ltrim(CellserialNumber," 978499-5-"), yet when doing this, it cut's of some of the numerical values when it returns the answer. Would there be a way to do this with the rex command?

0 Karma
Reply
Solved! Jump to solution
Solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:07 PM

I think you should do the following:

write a search - best without an appendcols, join, dedup, etc - where you get events where the field CellSerialNumber  OR CellSerial  has a value. After this, you create a new field like "testnumber" which will be filled with the last digits of CellSerialNumber OR with CellSerial, depending which the event has. Then you can create a chart values(CellSerialNumber) count(CellSerialNumber) values(CellSerial) count(CellSerial) by testnumber, so you'll get your needed information aggregated. Then you can check if both counters are greater than 1 and if so it is containing. You could also do a fillnull and search for 0 and say it es not containing 😉

Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:28 PM

I am trying your appraoch for the values and stats column chart, but how would I use rex to cutt of the first part of the CellserialNumber? Right now each cell serial number starts with "978499-5-****" where the "978499-5- is constant for every CellserialNumber where the **** is the unique identifier which would be equal to the Cell serial value if they are in both data sets. 

I am trying the trim command:  | eval CellserialNumber=ltrim(CellserialNumber," 978499-5-"), yet when doing this, it cut's of some of the numerical values when it returns the answer. Would there be a way to do this with the rex command?

0 Karma
Reply
Solved! Jump to solution

skramp
SplunkTrust
SplunkTrust
‎09-12-2022 01:32 PM

| rex field=CellserialNumber "978499-5-(?<testnumber>.*)"

Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:42 PM

Thank you!!!!

0 Karma
Reply
Solved! Jump to solution

ichesla1111
Path Finder
‎09-12-2022 01:11 PM

Thank you for getting back to me! Unfortunately, I have to do an appendcols command for the CellSerialNumber and CellSerial field values are from different data sets. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...