Getting Data In

Why "match" condition is not working?

punithsj96
Explorer

I want to match one field value with other field values. If Value in btc field is present in NEB_Sales_Oppy_Business_Type I should get True otherwise False. I tried with the following query:

| eval Is_businees_type_matching=if(match(NEB_Sales_Oppy_Business_Type, btc), "TRUE", "FALSE")

Why I am getting False for 3 rows even the value is available in both fields.

splunk_doubt.PNG

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

The problems is that the match string is a regex, so if btc would need to be

New Equipment \(NEB\)

for the match to work. See this example

| makeresults
| fields - _time
| eval NEB_Sales_Oppy_Business_Type="New Equipment (NEB)|Modernization (FRB)|Modernization (TRB)", btc="New Equipment (NEB)", btc1="New Equipment \(NEB\)"
| eval Is_businees_type_matching=if(match(NEB_Sales_Oppy_Business_Type, btc), "TRUE", "FALSE")
| eval Is_businees_type_matching1=if(match(NEB_Sales_Oppy_Business_Type, btc1), "TRUE", "FALSE")

View solution in original post

punithsj96
Explorer

@bowesmana, thanks for your response its working now as per my requirement.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try replacing the open and close brackets in the btc field

| eval Is_business_type_matching=if(match(NEB_Sales_Oppy_Business_Type, replace(replace(btc,"\)","\)"),"\(","\(")), "TRUE", "FALSE")

punithsj96
Explorer

Hi @ITWhisperer , yes its also working thanks for the support and response.

0 Karma

SanjayReddy
Builder

Hi @punithsj96

can you swap the fields in match and try it?

| eval Is_businees_type_matching=if(match(btc,NEB_Sales_Oppy_Business_Type), "TRUE", "FALSE")

----
Regards,
Sanjay Reddy

----
If this reply helps you, Karma would be appreciated.
0 Karma

punithsj96
Explorer

Hi @SanjayReddy

Thanks for your response, I tried still its not working.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The problems is that the match string is a regex, so if btc would need to be

New Equipment \(NEB\)

for the match to work. See this example

| makeresults
| fields - _time
| eval NEB_Sales_Oppy_Business_Type="New Equipment (NEB)|Modernization (FRB)|Modernization (TRB)", btc="New Equipment (NEB)", btc1="New Equipment \(NEB\)"
| eval Is_businees_type_matching=if(match(NEB_Sales_Oppy_Business_Type, btc), "TRUE", "FALSE")
| eval Is_businees_type_matching1=if(match(NEB_Sales_Oppy_Business_Type, btc1), "TRUE", "FALSE")

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...