Splunk Search

Dynamic eval if match from a list of values - foreach?

Contributor

A standard eval if match example is below.

Any ViewUrl value which starts with /company/.* has the entire string replaced with only "/company/*"

my search | eval ViewUrl=if(match(ViewUrl,"/company/.*"), "/company/*", ViewUrl)

Is it possible to do this dynamically from a list of values?

For example instead of only having the single value of "/company/*" I have around 500 values in a lookup or populated from a sub-search.

I could write this out manually as below, however this is impractical.

  my search | eval ViewUrl=if(match(ViewUrl,"value1"),"value1",ViewUrl) 
| eval ViewUrl=if(match(ViewUrl,"value2"),"value2",ViewUrl)
| eval ViewUrl=if(match(ViewUrl,"value3"),"value3",ViewUrl)
| eval ViewUrl=if(match(ViewUrl,"valuen"),"valuen",ViewUrl)

Is there a way of using a loop or the for each command to achieve the above in a few lines instead of hundreds?

Thanks,

Dan

0 Karma

SplunkTrust
SplunkTrust

@DanielFordWA Is your problem resolved? If so, please accept the answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Contributor

what about creating a custom command or external lookup? you can just pass the viewURL value to the python script where you will handle the matching part. Then from python script you will return the data to splunk.

Sid

0 Karma

Contributor

Splunk is not very practical but I managed to make 500
"| eval ViewUrl=if(match(ViewUrl,"valueX"),"valueX",ViewUrl)"

Why don't you use a lookup? What is your base search?

$your search
| streamstats count AS a 
| map search="makeresults count=500 |head 1| eval a = $a$+ 1" maxsearches=500 
| transpose 500 
| eval column = 1 
| foreach column row* 
    [ eval value<<MATCHSTR>> = "value<<MATCHSTR>>" ] 
| fields val* 
| fields - value 
| foreach value* 
    [ eval ViewUrl=if(match(ViewUrl,"<<MATCHSTR>>"),"<<MATCHSTR>>",ViewUrl) ]
0 Karma

Champion

Is it just a front match? Also, may there be multiple matches?
I think we can use a lookup if it is just a forward match.

https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

It can not be set in GUI when wild card is used. You need to edit the configuration file.

Contributor

I downvoted this post because links off site to pay wall solution with no answer given.

0 Karma

Champion

Excuse me. Since I was using the URL example, I used it without knowing it as a link of a paid site. The link was fixed to Answer.

0 Karma

Contributor

Also linking off site to a pay walled solution is not really what Splunk answers is about.

0 Karma

Contributor

Just a front match

0 Karma