Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- How do you filter search results based on a variab...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Hopefully my title makes sense, I'm trying to filter my results depending on the format of the username. I'm pumping in the logs from a web filter into Splunk and I want to separate out users depending on whether their username contains numbers or not. For example: andrew.smith or joe.blogs123
I'd like to be able to create a condition where I tell Splunk: "If username contains [digits]" then only display those search results.
Is this possible within Splunk?
Any help is greatly appreciated! Thanks 🙂
Edited to avoid confusion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can try to use the match function like in this example and filter on the new field created:
| makeresults
| eval username ="joe.blogs132"
| append
[| makeresults
| eval username ="andrew.smith"]
| eval Type = if(match(username,"\d"),"Student","Staff")
| where Type = "Student"
Like that you can chose if you want to match a student or a staff, as you want.
Let me know if it help you 🙂
Kail
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can try to use the match function like in this example and filter on the new field created:
| makeresults
| eval username ="joe.blogs132"
| append
[| makeresults
| eval username ="andrew.smith"]
| eval Type = if(match(username,"\d"),"Student","Staff")
| where Type = "Student"
Like that you can chose if you want to match a student or a staff, as you want.
Let me know if it help you 🙂
Kail
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kail, thanks for your reply.
Apologies, I may communicated my intentions incorrectly. I do not need to specify whether the user is a student or staff, I just need to filter out any username that contains numbers. I have thousands of users, therfore it would need to be a simple variable and not specifying individual usernames.
For example: If username contains numbers, do not include in the search result.
Thanks for your help though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok so something like that I guess:
Base search
| where NOT match(username,"\d")
or with @vnravikumar solution (the regex one)
Unfortunately, you can not do it directly in the base search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've got it! Thank you very much, just tested and that's exactyl what I needed. You're a star!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @danfinan
Try this and let me know
| makeresults
| eval username ="joe.blogs123"
| regex username ="\d"
OR
| makeresults
| eval username ="joe.blogs123,andrew.smith"
| makemv delim="," username
| mvexpand username
| eval result= if(match(username,"\d"),"student","staff")
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
Index This | How many sevens are there between 1 and 100?
