Splunk Search

Dynamic eval if match from a list of values - foreach?

DanielFordWA
Contributor

A standard eval if match example is below.

Any ViewUrl value which starts with /company/.* has the entire string replaced with only "/company/*"

my search | eval ViewUrl=if(match(ViewUrl,"/company/.*"), "/company/*", ViewUrl)

Is it possible to do this dynamically from a list of values?

For example instead of only having the single value of "/company/*" I have around 500 values in a lookup or populated from a sub-search.

I could write this out manually as below, however this is impractical.

  my search | eval ViewUrl=if(match(ViewUrl,"value1"),"value1",ViewUrl) 
| eval ViewUrl=if(match(ViewUrl,"value2"),"value2",ViewUrl)
| eval ViewUrl=if(match(ViewUrl,"value3"),"value3",ViewUrl)
| eval ViewUrl=if(match(ViewUrl,"valuen"),"valuen",ViewUrl)

Is there a way of using a loop or the for each command to achieve the above in a few lines instead of hundreds?

Thanks,

Dan

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@DanielFordWA Is your problem resolved? If so, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sdchakraborty
Contributor

what about creating a custom command or external lookup? you can just pass the viewURL value to the python script where you will handle the matching part. Then from python script you will return the data to splunk.

Sid

0 Karma

valiquet
Contributor

Splunk is not very practical but I managed to make 500
"| eval ViewUrl=if(match(ViewUrl,"valueX"),"valueX",ViewUrl)"

Why don't you use a lookup? What is your base search?

$your search
| streamstats count AS a 
| map search="makeresults count=500 |head 1| eval a = $a$+ 1" maxsearches=500 
| transpose 500 
| eval column = 1 
| foreach column row* 
    [ eval value<<MATCHSTR>> = "value<<MATCHSTR>>" ] 
| fields val* 
| fields - value 
| foreach value* 
    [ eval ViewUrl=if(match(ViewUrl,"<<MATCHSTR>>"),"<<MATCHSTR>>",ViewUrl) ]
0 Karma

HiroshiSatoh
Champion

Is it just a front match? Also, may there be multiple matches?
I think we can use a lookup if it is just a forward match.

https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

It can not be set in GUI when wild card is used. You need to edit the configuration file.

DanielFordWA
Contributor

I downvoted this post because links off site to pay wall solution with no answer given.

0 Karma

HiroshiSatoh
Champion

Excuse me. Since I was using the URL example, I used it without knowing it as a link of a paid site. The link was fixed to Answer.

0 Karma

DanielFordWA
Contributor

Also linking off site to a pay walled solution is not really what Splunk answers is about.

0 Karma

DanielFordWA
Contributor

Just a front match

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...