Re: Eval Substring Match?

wilcomply · ‎09-17-2021

Anyone have a good method for doing substring matches where field1 is my searched field and field2 is my substring I want to search for? Attempted to use the following logic without any luck and running low on ideas.

| eval comparison = if(like(field1, %field2%), "1", "0")

field1 is a URL and field2 is a base domain, but field2 is input from a lookup, so it's variable but would look something like:

field1="http://www.yahoo.com/mail/inbox"
field2="yahoo"

OR

field1="linkedin.com/company/google/profile"
field2="google"

I'm low on ideas after spending my time in docs and forums all day.

ITWhisperer · ‎09-18-2021

Use match not like

| makeresults
| eval field1="http://www.yahoo.com/mail/inbox"
| eval field2="yahoo"
| eval field3="linkedin.com/company/google/profile"
| eval field4="google"
| eval comparison1 = if(match(field1, field2), "1", "0")
| eval comparison2 = if(match(field3, field4), "1", "0")
| eval comparison3 = if(match(field1, field4), "1", "0")
| eval comparison4 = if(match(field3, field2), "1", "0")

PickleRick · ‎09-18-2021

You might also concatenate values with wildcards (could be useful in case of more complicated patterns)

| eval result=if(like(field1, "%".field2."%"),1,0)

Eval Substring Match?

eval

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Mile High Learning with Splunk University, Denver, Colorado

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Join the Conversation