Hopefully my title makes sense, I'm trying to filter my results depending on the format of the username. I'm pumping in the logs from a web filter into Splunk and I want to separate out users depending on whether their username contains numbers or not. For example: andrew.smith or joe.blogs123
I'd like to be able to create a condition where I tell Splunk: "If username contains [digits]" then only display those search results.
Is this possible within Splunk?
Any help is greatly appreciated! Thanks 🙂
Edited to avoid confusion.
Try this and let me know
| makeresults | eval username ="joe.blogs123" | regex username ="\d"
| makeresults | eval username ="joe.blogs123,andrew.smith" | makemv delim="," username | mvexpand username | eval result= if(match(username,"\d"),"student","staff")
You can try to use the
match function like in this example and filter on the new field created:
| makeresults | eval username ="joe.blogs132" | append [| makeresults | eval username ="andrew.smith"] | eval Type = if(match(username,"\d"),"Student","Staff") | where Type = "Student"
Like that you can chose if you want to match a student or a staff, as you want.
Let me know if it help you 🙂
Hi Kail, thanks for your reply.
Apologies, I may communicated my intentions incorrectly. I do not need to specify whether the user is a student or staff, I just need to filter out any username that contains numbers. I have thousands of users, therfore it would need to be a simple variable and not specifying individual usernames.
For example: If username contains numbers, do not include in the search result.
Thanks for your help though.
Ok so something like that I guess:
Base search | where NOT match(username,"\d")
or with @vnravikumar solution (the
Unfortunately, you can not do it directly in the base search.