Security

How do you filter search results based on a variable...?

danfinan
Explorer

Hi all,

Hopefully my title makes sense, I'm trying to filter my results depending on the format of the username. I'm pumping in the logs from a web filter into Splunk and I want to separate out users depending on whether their username contains numbers or not. For example: andrew.smith or joe.blogs123

I'd like to be able to create a condition where I tell Splunk: "If username contains [digits]" then only display those search results.

Is this possible within Splunk?

Any help is greatly appreciated! Thanks 🙂

Edited to avoid confusion.

0 Karma
1 Solution

KailA
Contributor

Hi,

You can try to use the match function like in this example and filter on the new field created:

| makeresults 
| eval username ="joe.blogs132"
| append 
    [| makeresults 
| eval username ="andrew.smith"]
| eval Type = if(match(username,"\d"),"Student","Staff")
| where Type = "Student"

Like that you can chose if you want to match a student or a staff, as you want.

Let me know if it help you 🙂

Kail

View solution in original post

0 Karma

KailA
Contributor

Hi,

You can try to use the match function like in this example and filter on the new field created:

| makeresults 
| eval username ="joe.blogs132"
| append 
    [| makeresults 
| eval username ="andrew.smith"]
| eval Type = if(match(username,"\d"),"Student","Staff")
| where Type = "Student"

Like that you can chose if you want to match a student or a staff, as you want.

Let me know if it help you 🙂

Kail

0 Karma

danfinan
Explorer

Hi Kail, thanks for your reply.

Apologies, I may communicated my intentions incorrectly. I do not need to specify whether the user is a student or staff, I just need to filter out any username that contains numbers. I have thousands of users, therfore it would need to be a simple variable and not specifying individual usernames.

For example: If username contains numbers, do not include in the search result.

Thanks for your help though.

0 Karma

KailA
Contributor

Ok so something like that I guess:

Base search 
| where NOT match(username,"\d")

or with @vnravikumar solution (the regex one)

Unfortunately, you can not do it directly in the base search.

0 Karma

danfinan
Explorer

You've got it! Thank you very much, just tested and that's exactyl what I needed. You're a star!

0 Karma

vnravikumar
Champion

Hi @danfinan

Try this and let me know

| makeresults 
| eval username ="joe.blogs123" 
| regex username ="\d"

OR

| makeresults 
| eval username ="joe.blogs123,andrew.smith" 
| makemv delim="," username 
| mvexpand username 
| eval result= if(match(username,"\d"),"student","staff")
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...