Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find values contained on another filed not exact match

Mary666
Communicator
‎11-02-2021 03:52 PM

Hello All, 

This may seem easy, but its been quite tedious. How can I create one field that has common values from two separate strings:

Example: 

Field 1=123_yyy  Field 2=777_x_123_0

Desired Results= New Field = 123 

I have tried the below, but it only gives me false --- I know they dont match - I just want what is matching - any suggestions anyone? 

 | eval matched=if(like(Field1,"%".Field2."%"),"True","False")

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎11-02-2021 05:32 PM

Hi @Mary666 

If your fields 1,2 having set pattern with _ as delimiter you could try something like this.

| makeresults 
| eval Field1="123_yyy", Field2="777_x_123_0" 
| eval f1=mvindex(split(Field1, "_"),0), f2=mvindex(split(Field2, "_"),2) 
| eval bool=if(f1 == f2, "True", "False")

 --

An upvote would be appreciated if this reply helps! 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎11-02-2021 05:32 PM

Hi @Mary666 

If your fields 1,2 having set pattern with _ as delimiter you could try something like this.

| makeresults 
| eval Field1="123_yyy", Field2="777_x_123_0" 
| eval f1=mvindex(split(Field1, "_"),0), f2=mvindex(split(Field2, "_"),2) 
| eval bool=if(f1 == f2, "True", "False")

 --

An upvote would be appreciated if this reply helps! 

0 Karma
Reply
Solved! Jump to solution

Mary666
Communicator
‎11-03-2021 02:22 PM

That works for that example, but what if there is no defined pattern and I only want the exact match... lets say:

Blue123_yz_pz

Blue123_yz_pz_flz

Result should be: Blue123_yz_pz

Is there a way of doing this without using REX and if the patterns vary? Thanks in Advance

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎11-03-2021 05:16 PM

should know what's been compared and either extract using rex or other functions like split, substring. Pattern is must generic solution is tough without knowing how the data is structured.

0 Karma
Reply
Solved! Jump to solution

Mary666
Communicator
‎11-08-2021 11:47 AM

Thanks for your help, basically using split and mvindex did the trick. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...