Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Splunk search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk search
Hi Team,
I have a dashboard in which there are event date, event title, AD location, Logon location and IP address. I have visualized all the datas into my dashboard.
I my splunk query i need to ignore if AD and Logon location are same. Need to ignore those events getting displayed in dashboard.
Here is the eg:
AD location : Almaty,KZ Logon location: Almaty city, Almaty, KZ. In this case I need to match any of these pair values. Like KZ or Almaty if anything is same. Need to ignore those in my dashboard.
I tried using Like and != operator coudn't able to get the search properly.
Required a quick help.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If string in ad location is a substring of logic location string, you may try
|where !match(login_location,ad_location)Here is a run anywhere example. Remove the where condition to see the data and it's comparison
|makeresults|eval ad_location="Almaty Almaty ABC KZ"|makemv ad_location| mvexpand ad_location
| appendcols [| makeresults |eval login_location="Almaty city,Almaty,XYZ,KZ"|makemv login_location delim=","|mvexpand login_location]
|where !match(login_location,ad_location)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for ur response..!!
I prefer to use this:
|where !match(login_location,ad_location)
But this is not ignoring the like search.
Eg: Logon location: Almaty, Almaty City, KZ and AD Location: Almaty, KZ. In this case I want to use a like condition to see atleast KZ matches. So need to ignore these results.
Please suggest if any like condition matches in 2fields that should be ignored.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Didn't quite get that
Can you make changes to the below dummy search with your inputs and expected output ?
|makeresults|eval ad_location="Almaty Almaty ABC KZ"|makemv ad_location| mvexpand ad_location
| appendcols [| makeresults |eval login_location="Almaty city,Almaty,XYZ,KZ"|makemv login_location delim=","|mvexpand login_location]
What goes around comes around. If it helps, hit it with Karma 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Monitoring AI Agents with Splunk Observability Cloud
[Puzzles] Solve, Learn, Repeat: Tiling
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
