Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you store the matching value as a field?

szabados
Communicator
‎11-19-2018 08:26 AM

Suppose I have a query like:

index=my_index stringA OR stringB OR stringC | table logentry, whatmatched

And for the "whatmatched" field, I would like to have the particular string against my raw data has matched, yielding an output like:

logentry                          | whatmatched
this is message with stringB      | stringB
stringC comes here                | stringC

Is it possible to extract this somehow?

0 Karma
Reply

kmaron
Motivator
‎11-19-2018 10:46 AM

try this 

| eval whatmatched = case(like(_raw, "%string1%"), "string1", like(_raw, "%string2%"), "string2", like(_raw, "%string3%"), "string3")
0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...