Splunk Search
Highlighted

Can eval case match a fields value as a substring to another field?

Communicator

Hi All,

index="index1" sourcetype="SC1" OR sourcetype="SC2"  | eval Ticket_Main5 = (Ticket,1,5)| eval Ticket_master = case(sourcetype="SC2" AND like(LINK_LIST, Ticket_Main5),SC2_Ticket,1=1,"NotFound")

For example Ticket= "Z1234B" and LINK_LIST is "C1234A001;Z1234A;Z1234B" and SC2_Ticket is "C1234A" . So I need to extract TicketMain5 first. Then check this field in another field LINKLIST inside eval case. There are other arguments in eval case as well, which I removed here.

Or is there any other way, where I can check if a field value is a substring of other field value.

0 Karma
Highlighted

Re: Can eval case match a fields value as a substring to another field?

Legend

@Chandras11, please try the following run anywhere example based on the details provided.

| makeresults 
| eval Ticket="Z1234B", LINK_LIST="C1234A001;Z1234A;Z1234B" , sourcetype="SC2" 
| eval Ticket_Main5 = substr(Ticket,1,13) 
| eval Ticket_master = case(sourcetype="SC2" AND match(LINK_LIST, Ticket_Main5),"SC2_Ticket",true(),"NotFound")



| eval message="Happy Splunking!!!"


View solution in original post

Highlighted

Re: Can eval case match a fields value as a substring to another field?

Communicator

I tried the match() command in eval case, but it is always giving me a result "NotFound", even if there is a match.
So I checked the documentation and found that we have 3 possibilities:-
1. match(SUBJECT, "REGEX") -
2. like(TEXT, PATTERN) :-
3. in(VALUE-LIST)

In all 3 cases, The first argument is shown as the field but the second argument is some string.

0 Karma
Highlighted

Re: Can eval case match a fields value as a substring to another field?

Communicator
0 Karma
Highlighted

Re: Can eval case match a fields value as a substring to another field?

Legend

@Chandras11, you might have to provide some raw sample event which is not working as expected.

I tried run anywhere search based on details provided and that works fine! I tested with Z1234A, Z1234B andZ1234C.

For A & B I got result as SC2_Ticket and for C NotFound. So next thing would be to figure out why the same would not work with Raw data.

Also, once you have identified them as SC2_Ticket and NotFound, is there subsequent activity you need to perform or is that the final pipe?




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Can eval case match a fields value as a substring to another field?

Champion

hi, could there be trailing spaces involved? can you use a trim function to trim your fields before applying substr or case functions?

0 Karma
Highlighted

Re: Can eval case match a fields value as a substring to another field?

Communicator

No, there is no trailing space but it seems that the problem is involving 2 different source types with same field names.

0 Karma
Highlighted

Re: Can eval case match a fields value as a substring to another field?

Communicator

inally I found some issue with my query. Ticket="Z1234B" is in sourcetype="SC1" and LINKLIST is in sourcetype="SC2". If I remove sourcetype="SC2", the search will give me the results. The problem is that both sourcetype="SC1" and sourcetype="SC2" has a field called LINKLIST and I just want to check it in "SC2" only.
I tried it with eval sub search and join but I am not able to resolve it. The other question is posted at https://answers.splunk.com/answers/668508/parameter-passing-between-2-searches-as-input-as-w.html : where you can find some dummy row data 🙂

0 Karma
Highlighted

Re: Can eval case match a fields value as a substring to another field?

Communicator

What I really need the value of SC2Ticket from the first event where TicketMain5 (SC1) is in LINKLIST of SC2. "SC2Ticket" as a string won't help.
However, It is possible to rename the fields for both sourcetypes and then combine another query to get the results

0 Karma
Highlighted

Re: Can eval case match a fields value as a substring to another field?

Legend

@Chandra11, you can add the following eval to create two new fields i.e. SC1LINKLIST and SC2LINKLIST and use required column as per your need.

| eval {sourcetype}_LINK_LIST=LINK_LIST

Following is a run anywhere search

| makeresults 
| eval LINK_LIST="A,B", sourcetype="SC1" 
| append 
    [| makeresults 
    | eval LINK_LIST="A B", sourcetype="SC2"]
| eval {sourcetype}_LINK_LIST=LINK_LIST



| eval message="Happy Splunking!!!"


0 Karma