Splunk Search

Dynamic eval if match from a list of values - foreach?

DanielFordWA
Contributor

A standard eval if match example is below.

Any ViewUrl value which starts with /company/.* has the entire string replaced with only "/company/*"

my search | eval ViewUrl=if(match(ViewUrl,"/company/.*"), "/company/*", ViewUrl)

Is it possible to do this dynamically from a list of values?

For example instead of only having the single value of "/company/*" I have around 500 values in a lookup or populated from a sub-search.

I could write this out manually as below, however this is impractical.

  my search | eval ViewUrl=if(match(ViewUrl,"value1"),"value1",ViewUrl) 
| eval ViewUrl=if(match(ViewUrl,"value2"),"value2",ViewUrl)
| eval ViewUrl=if(match(ViewUrl,"value3"),"value3",ViewUrl)
| eval ViewUrl=if(match(ViewUrl,"valuen"),"valuen",ViewUrl)

Is there a way of using a loop or the for each command to achieve the above in a few lines instead of hundreds?

Thanks,

Dan

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@DanielFordWA Is your problem resolved? If so, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sdchakraborty
Contributor

what about creating a custom command or external lookup? you can just pass the viewURL value to the python script where you will handle the matching part. Then from python script you will return the data to splunk.

Sid

0 Karma

valiquet
Contributor

Splunk is not very practical but I managed to make 500
"| eval ViewUrl=if(match(ViewUrl,"valueX"),"valueX",ViewUrl)"

Why don't you use a lookup? What is your base search?

$your search
| streamstats count AS a 
| map search="makeresults count=500 |head 1| eval a = $a$+ 1" maxsearches=500 
| transpose 500 
| eval column = 1 
| foreach column row* 
    [ eval value<<MATCHSTR>> = "value<<MATCHSTR>>" ] 
| fields val* 
| fields - value 
| foreach value* 
    [ eval ViewUrl=if(match(ViewUrl,"<<MATCHSTR>>"),"<<MATCHSTR>>",ViewUrl) ]
0 Karma

HiroshiSatoh
Champion

Is it just a front match? Also, may there be multiple matches?
I think we can use a lookup if it is just a forward match.

https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

It can not be set in GUI when wild card is used. You need to edit the configuration file.

DanielFordWA
Contributor

I downvoted this post because links off site to pay wall solution with no answer given.

0 Karma

HiroshiSatoh
Champion

Excuse me. Since I was using the URL example, I used it without knowing it as a link of a paid site. The link was fixed to Answer.

0 Karma

DanielFordWA
Contributor

Also linking off site to a pay walled solution is not really what Splunk answers is about.

0 Karma

DanielFordWA
Contributor

Just a front match

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...