Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you filter search results based on a variable...?

danfinan
Explorer
‎03-04-2019 04:31 AM

Hi all,

Hopefully my title makes sense, I'm trying to filter my results depending on the format of the username. I'm pumping in the logs from a web filter into Splunk and I want to separate out users depending on whether their username contains numbers or not. For example: andrew.smith or joe.blogs123

I'd like to be able to create a condition where I tell Splunk: "If username contains [digits]" then only display those search results.

Is this possible within Splunk?

Any help is greatly appreciated! Thanks 🙂

Edited to avoid confusion.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

KailA
Contributor
‎03-04-2019 04:58 AM

Hi,

You can try to use the match function like in this example and filter on the new field created:

| makeresults 
| eval username ="joe.blogs132"
| append 
    [| makeresults 
| eval username ="andrew.smith"]
| eval Type = if(match(username,"\d"),"Student","Staff")
| where Type = "Student"

Like that you can chose if you want to match a student or a staff, as you want.

Let me know if it help you 🙂

Kail

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

KailA
Contributor
‎03-04-2019 04:58 AM

Hi,

You can try to use the match function like in this example and filter on the new field created:

| makeresults 
| eval username ="joe.blogs132"
| append 
    [| makeresults 
| eval username ="andrew.smith"]
| eval Type = if(match(username,"\d"),"Student","Staff")
| where Type = "Student"

Like that you can chose if you want to match a student or a staff, as you want.

Let me know if it help you 🙂

Kail

0 Karma
Reply
Solved! Jump to solution

danfinan
Explorer
‎03-04-2019 05:07 AM

Hi Kail, thanks for your reply.

Apologies, I may communicated my intentions incorrectly. I do not need to specify whether the user is a student or staff, I just need to filter out any username that contains numbers. I have thousands of users, therfore it would need to be a simple variable and not specifying individual usernames.

For example: If username contains numbers, do not include in the search result.

Thanks for your help though.

0 Karma
Reply
Solved! Jump to solution

KailA
Contributor
‎03-04-2019 05:17 AM

Ok so something like that I guess:

Base search 
| where NOT match(username,"\d")

or with @vnravikumar solution (the regex one)

Unfortunately, you can not do it directly in the base search.

0 Karma
Reply
Solved! Jump to solution

danfinan
Explorer
‎03-04-2019 05:24 AM

You've got it! Thank you very much, just tested and that's exactyl what I needed. You're a star!

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎03-04-2019 04:42 AM

Hi @danfinan

Try this and let me know

| makeresults 
| eval username ="joe.blogs123" 
| regex username ="\d"

OR

| makeresults 
| eval username ="joe.blogs123,andrew.smith" 
| makemv delim="," username 
| mvexpand username 
| eval result= if(match(username,"\d"),"student","staff")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top