Solved: Re: How do I look for the existence of one field w...

rwmilligan · ‎05-16-2018

For example, if I have a proxy log, and it shows User=A, then In the URL field we have "http://somesite.com/parameter=A", I want it to be able to pull up those logs.

elliotproebstel · ‎05-16-2018

You can make that comparison by using where like() in this way:

| where like(URL, "%".user."%")

Here's some sample run-anywhere code. Everything before the where like() line is just making a couple of test events:

| makeresults 
| eval user="Alex", URL="http://somesite.com/parameter=Alex" 
| append 
    [| makeresults 
    | eval user="Beth", URL="http://somesite.com/parameter=Baloney"] 
| where like(URL, "%".user."%")

Note that the % are being appended to the start and end of the user field for the comparison, because these are the wildcards for the like function.

View solution in original post

elliotproebstel · ‎05-16-2018

You can make that comparison by using where like() in this way:

| where like(URL, "%".user."%")

Here's some sample run-anywhere code. Everything before the where like() line is just making a couple of test events:

| makeresults 
| eval user="Alex", URL="http://somesite.com/parameter=Alex" 
| append 
    [| makeresults 
    | eval user="Beth", URL="http://somesite.com/parameter=Baloney"] 
| where like(URL, "%".user."%")

Note that the % are being appended to the start and end of the user field for the comparison, because these are the wildcards for the like function.

richgalloway · ‎05-16-2018

Please share some sample events.

---
If this reply helps you, Karma would be appreciated.

How do I look for the existence of one field within another field?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!