Splunk Query

rupeshn · ‎11-20-2019

Hi,

After Extracting a field using regex. I now need to compare whether that particular field contains any command . Could you please help how to proceed further using eval,match or any other way?

sanjeev543 · ‎11-20-2019

Hi,

You could write the regex to match the field values to capture the commands in your newly extracted field. See below,

| makeresults 
| eval commands="vi,cd,hello,world"
| makemv delim="," commands
| mvexpand commands
| rex field=commands "(?<abc>.*)"
| eval contains_command=if(match(abc,"vi|cd"),"Yes","No")

Here I have extracted field abc from field commands and then I used eval and simple regex using match function to identify the commands in field abc
If it's there then I will see result as yes and no respectively.

493669 · ‎11-20-2019

Hi @rupeshn,
Try below-

...| eval matches = if(match(fieldname,"command Line"), 1, 0)

If it find command line in fieldname then it will return 1 else 0

rupeshn · ‎11-20-2019

That can be any command. Can i write a regex for command in place of "command line". If yes, Could you please suggest.

493669 · ‎11-20-2019

Please provide more details on sample data and what output are you expecting

Splunk Query

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation

Splunk Query

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination