How do I write a search that can match a word from...

satyaallaparthi · ‎05-08-2023

Hello,

I have 2 different files names lookup1.csv and lookup2.csv, which have column A and column B in both.

How can we merge two files using a single word in Column A in both files with a sentence in it?

lookup1: Column A: "I am good"

lookup2: Column A: "I am bad"

I want to combine both the files using a word "I am" in this case.

Any help would be appreciated.

yuanliu · ‎05-08-2023

Can you explain what is the desired output? In other words, what does "match" mean in this context? Is this entire exercise between two lookups or will it involve event data?

satyaallaparthi · ‎05-09-2023

Hi,

Entire output will be in between two lookups.

desired output: if there is a word match in between Column A of two files, then I want to display “yes” in a new Column called Matching_word and “no” if there is no word match.

yuanliu · ‎05-10-2023

Splunk may not be the best tool for this task because SPL doesn't have a builtin definition of "word". If I take space as word boundary, you can do something like

| inputlookup lookup1
| eval lookup = lookup1
| append 
    [ | inputlookup lookup2
    | eval lookup = lookup2]
| eval ColumnA = split(ColumnA, " ") ``` assume space is the only word boundary ```
| stats dc(lookup) as sources by ColumnA
| stats max(sources) as match
| eval match = if(match > 1, "yes", "no")

dc is the basic idea. You can improve/enhance word detection. But there is a limit to what you can do before it becomes labor.

Hope this helps.

How do I write a search that can match a word from two different lookup files?

eval

fields

Enterprise Security Content Update (ESCU) | New Releases

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...