Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk search

SabariRajanT
Path Finder
‎02-05-2021 01:54 AM

Hi Team,

I have a dashboard in which there are event date, event title, AD location, Logon location and IP address. I have visualized all the datas into my dashboard.

I my splunk query  i need to ignore if AD and Logon location are same. Need to ignore those events getting displayed in dashboard.

Here is the eg: 

AD location : Almaty,KZ Logon location: Almaty city, Almaty, KZ.  In this case I need to match any of these pair values. Like KZ or Almaty if anything is same. Need to ignore those in my dashboard.

I tried using Like and != operator coudn't able to get the search properly. 

Required a quick help.

Thanks,

Labels (2)
Labels
0 Karma
Reply

renjith_nair
Legend
‎02-05-2021 03:05 AM

If string in ad location is a substring of logic location string, you may try

|where !match(login_location,ad_location)

Here is a run anywhere example. Remove the where condition to see the data and it's comparison

|makeresults|eval ad_location="Almaty Almaty ABC KZ"|makemv ad_location| mvexpand ad_location
| appendcols [| makeresults |eval login_location="Almaty city,Almaty,XYZ,KZ"|makemv login_location delim=","|mvexpand login_location]
|where !match(login_location,ad_location)

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

SabariRajanT
Path Finder
‎02-05-2021 03:17 AM

@renjith_nair 

Thanks for ur response..!!

I prefer to use this: 

|where !match(login_location,ad_location)

But this is not ignoring the like search.

Eg: Logon location: Almaty, Almaty City, KZ and AD Location: Almaty, KZ. In this case I want to use a like condition to see atleast KZ matches. So need to ignore these results.

Please suggest if any like condition matches in 2fields that should be ignored.

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎02-07-2021 10:45 PM

Didn't quite get that

Can you make changes to the below dummy search with your inputs and expected output ?

|makeresults|eval ad_location="Almaty Almaty ABC KZ"|makemv ad_location| mvexpand ad_location
| appendcols [| makeresults |eval login_location="Almaty city,Almaty,XYZ,KZ"|makemv login_location delim=","|mvexpand login_location]

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...