Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find values contained on another filed not exact match

Mary666
Communicator
‎11-02-2021 03:52 PM

Hello All, 

This may seem easy, but its been quite tedious. How can I create one field that has common values from two separate strings:

Example: 

Field 1=123_yyy  Field 2=777_x_123_0

Desired Results= New Field = 123 

I have tried the below, but it only gives me false --- I know they dont match - I just want what is matching - any suggestions anyone? 

 | eval matched=if(like(Field1,"%".Field2."%"),"True","False")

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎11-02-2021 05:32 PM

Hi @Mary666 

If your fields 1,2 having set pattern with _ as delimiter you could try something like this.

| makeresults 
| eval Field1="123_yyy", Field2="777_x_123_0" 
| eval f1=mvindex(split(Field1, "_"),0), f2=mvindex(split(Field2, "_"),2) 
| eval bool=if(f1 == f2, "True", "False")

 --

An upvote would be appreciated if this reply helps! 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎11-02-2021 05:32 PM

Hi @Mary666 

If your fields 1,2 having set pattern with _ as delimiter you could try something like this.

| makeresults 
| eval Field1="123_yyy", Field2="777_x_123_0" 
| eval f1=mvindex(split(Field1, "_"),0), f2=mvindex(split(Field2, "_"),2) 
| eval bool=if(f1 == f2, "True", "False")

 --

An upvote would be appreciated if this reply helps! 

0 Karma
Reply
Solved! Jump to solution

Mary666
Communicator
‎11-03-2021 02:22 PM

That works for that example, but what if there is no defined pattern and I only want the exact match... lets say:

Blue123_yz_pz

Blue123_yz_pz_flz

Result should be: Blue123_yz_pz

Is there a way of doing this without using REX and if the patterns vary? Thanks in Advance

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎11-03-2021 05:16 PM

should know what's been compared and either extract using rex or other functions like split, substring. Pattern is must generic solution is tough without knowing how the data is structured.

0 Karma
Reply
Solved! Jump to solution

Mary666
Communicator
‎11-08-2021 11:47 AM

Thanks for your help, basically using split and mvindex did the trick. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...