Hi All,
I am using a form where I will get input for one field and produce results using it. The input may contain wild cards sometimes.
Here is the issue when the input contains a wild card.
Example:
Input field Name - SampleName
SampleName - Jobname.id.*.runtime
When using the above search, I only want to match the events that contains below:
Jobname.id.12345.runtime
Jobname.id.34521.runtime
Jobname.id.87645.runtime
But I am getting some more matching events including the said ones.
Jobname.id.12345.runtime - Needed
Jobname.id.34521.runtime - Needed
Jobname.id.87645.runtime - Needed
Jobname.id.87645.turn1.runtime - Not Needed
Jobname.id.12345.turn2.runtime - Not needed
Jobname.id.87645.trn.runtime - Not Needed.
Please help me to fine tune my query to only match the events I need.
The question as asked, if I'm reading this correctly, is that you want to match certain results, but not others. The ones you want to match are have only digits in that middle piece, no extra "words" or other things.
You didn't provide the initial base search, so I just have to "lorem ipsum" it.
One way is to build a more specific matching string.
... base search here
| rex field=SampleName "(?<isneeded>Jobname\.id\.\d+\.runtime)"
| search isneeded="*"
The idea is that the rex will only define the field isneeded
if the overall regular expression fits, and that regex is the specific words (with escaped periods!) of "Jobname.id." followed by \d+
which is one or more digits, followed by ".runtime". So if there's extra non-digits in there somewhere, it won't match anything, and thus isneeded will not be a field in that event. LAstly, we just search where isneeded got defined.
You could also use that same, or a similar, search in match
which maybe is more clear:
... base search here
| eval matches = if(match(SampleName,"Jobname\.id\.\d+\.runtime"), 1, 0)
| search matches=1
(That last was pulled nearly verbatim out of the documentation.)
I hope this helps!
Happy Splunking,
Rich
It is not possible; the best that you can do is something like this:
index=YouShoulAlwaysSpecifyAnIndex sourcetype=AndSourcetypeToo SampleName = Jobname.id.*.runtime
| where match(SampleName, "^Jobname\.id\.\d+\.runtime$")
The question as asked, if I'm reading this correctly, is that you want to match certain results, but not others. The ones you want to match are have only digits in that middle piece, no extra "words" or other things.
You didn't provide the initial base search, so I just have to "lorem ipsum" it.
One way is to build a more specific matching string.
... base search here
| rex field=SampleName "(?<isneeded>Jobname\.id\.\d+\.runtime)"
| search isneeded="*"
The idea is that the rex will only define the field isneeded
if the overall regular expression fits, and that regex is the specific words (with escaped periods!) of "Jobname.id." followed by \d+
which is one or more digits, followed by ".runtime". So if there's extra non-digits in there somewhere, it won't match anything, and thus isneeded will not be a field in that event. LAstly, we just search where isneeded got defined.
You could also use that same, or a similar, search in match
which maybe is more clear:
... base search here
| eval matches = if(match(SampleName,"Jobname\.id\.\d+\.runtime"), 1, 0)
| search matches=1
(That last was pulled nearly verbatim out of the documentation.)
I hope this helps!
Happy Splunking,
Rich
Thank you @rich7177. It is working fine.