Re: Eval Substring Match?

wilcomply · ‎09-17-2021

Anyone have a good method for doing substring matches where field1 is my searched field and field2 is my substring I want to search for? Attempted to use the following logic without any luck and running low on ideas.

| eval comparison = if(like(field1, %field2%), "1", "0")

field1 is a URL and field2 is a base domain, but field2 is input from a lookup, so it's variable but would look something like:

field1="http://www.yahoo.com/mail/inbox"
field2="yahoo"

OR

field1="linkedin.com/company/google/profile"
field2="google"

I'm low on ideas after spending my time in docs and forums all day.

ITWhisperer · ‎09-18-2021

Use match not like

| makeresults
| eval field1="http://www.yahoo.com/mail/inbox"
| eval field2="yahoo"
| eval field3="linkedin.com/company/google/profile"
| eval field4="google"
| eval comparison1 = if(match(field1, field2), "1", "0")
| eval comparison2 = if(match(field3, field4), "1", "0")
| eval comparison3 = if(match(field1, field4), "1", "0")
| eval comparison4 = if(match(field3, field2), "1", "0")

PickleRick · ‎09-18-2021

You might also concatenate values with wildcards (could be useful in case of more complicated patterns)

| eval result=if(like(field1, "%".field2."%"),1,0)

Eval Substring Match?

eval

lookup

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation