Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find a field value string that is partially present in another field value string.

lbogle
Contributor
‎06-18-2015 10:21 AM

Hi Splunkers,
I'm trying to work through a search where I have a base query delivering usernames and some corresponding hostnames. Hostnames are usually in the form of pc-username. There are frequently variants where the user will have pc-username-2 or pc-username-W7 etc. but typically 'username' is in there somewhere.
What would be a way for me to locate instances where hostname contained the actual username and identify that instance as "True". OR instances where the hostname didn't contain the actual username and identify that instance as "False"?
IE the first two results would be marked as true and the last one would be marked as false in the results below.

index=foo sourcetype=bar | table username,hostname

RequestorName MachineName
gtron pc-gtron
karthur pc-karthur-w8
tkhan pc-support-test

Thanks for your help!

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-18-2015 11:05 AM

Try this

index=foo sourcetype=bar
| eval matched=if(like(hostname,"%".username."%"),"True","False")
| table username hostname matched

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-18-2015 11:05 AM

Try this

index=foo sourcetype=bar
| eval matched=if(like(hostname,"%".username."%"),"True","False")
| table username hostname matched
Reply
Solved! Jump to solution

lbogle
Contributor
‎06-18-2015 11:19 AM

Seriously, every time you pick up one of my questions, I get super excited because I know you almost always take the time to answer and answer correctly! Minus the extra parenthesis, that did it!
You rock!
Thanks!

Reply
Solved! Jump to solution

lguinn2
Legend
‎06-19-2015 10:36 AM

Thanks, guys - and I fixed the typo...

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎06-18-2015 06:05 PM

This makes me happy ;D Also, @lguinn is a rockstar!

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎06-18-2015 07:16 PM

+1, upgoats for @lguinn!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...