Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you filter search results based on a variable...?

danfinan
Explorer
‎03-04-2019 04:31 AM

Hi all,

Hopefully my title makes sense, I'm trying to filter my results depending on the format of the username. I'm pumping in the logs from a web filter into Splunk and I want to separate out users depending on whether their username contains numbers or not. For example: andrew.smith or joe.blogs123

I'd like to be able to create a condition where I tell Splunk: "If username contains [digits]" then only display those search results.

Is this possible within Splunk?

Any help is greatly appreciated! Thanks 🙂

Edited to avoid confusion.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

KailA
Contributor
‎03-04-2019 04:58 AM

Hi,

You can try to use the match function like in this example and filter on the new field created:

| makeresults 
| eval username ="joe.blogs132"
| append 
    [| makeresults 
| eval username ="andrew.smith"]
| eval Type = if(match(username,"\d"),"Student","Staff")
| where Type = "Student"

Like that you can chose if you want to match a student or a staff, as you want.

Let me know if it help you 🙂

Kail

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

KailA
Contributor
‎03-04-2019 04:58 AM

Hi,

You can try to use the match function like in this example and filter on the new field created:

| makeresults 
| eval username ="joe.blogs132"
| append 
    [| makeresults 
| eval username ="andrew.smith"]
| eval Type = if(match(username,"\d"),"Student","Staff")
| where Type = "Student"

Like that you can chose if you want to match a student or a staff, as you want.

Let me know if it help you 🙂

Kail

0 Karma
Reply
Solved! Jump to solution

danfinan
Explorer
‎03-04-2019 05:07 AM

Hi Kail, thanks for your reply.

Apologies, I may communicated my intentions incorrectly. I do not need to specify whether the user is a student or staff, I just need to filter out any username that contains numbers. I have thousands of users, therfore it would need to be a simple variable and not specifying individual usernames.

For example: If username contains numbers, do not include in the search result.

Thanks for your help though.

0 Karma
Reply
Solved! Jump to solution

KailA
Contributor
‎03-04-2019 05:17 AM

Ok so something like that I guess:

Base search 
| where NOT match(username,"\d")

or with @vnravikumar solution (the regex one)

Unfortunately, you can not do it directly in the base search.

0 Karma
Reply
Solved! Jump to solution

danfinan
Explorer
‎03-04-2019 05:24 AM

You've got it! Thank you very much, just tested and that's exactyl what I needed. You're a star!

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎03-04-2019 04:42 AM

Hi @danfinan

Try this and let me know

| makeresults 
| eval username ="joe.blogs123" 
| regex username ="\d"

OR

| makeresults 
| eval username ="joe.blogs123,andrew.smith" 
| makemv delim="," username 
| mvexpand username 
| eval result= if(match(username,"\d"),"student","staff")
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...