Splunk Search

How to check if a field contains a value of another field?

Communicator

I would like to take the value of a field and see if it is CONTAINED within another field (not exact match). The text is not necessarily always in the beginning. Some examples of what I am trying to match:

Ex: field1=text field2=text@domain
Ex2: field1=text field2=sometext

I'm attempting to search Windows event 4648 for non-matching usernames. We have users with admin accounts that are very close to their unprivileged account names but with a couple characters added.

1 Solution

Revered Legend

You can do something this

your search | eval result=if(like(field2,"%".field1."%"),"Contained","Not Contained")

View solution in original post

Esteemed Legend

Like this:

| where match(field2,field1)

Or this:

... | rename _raw AS raw
| map search="|noop|stats count as contained|eval field2=\"$field2$\" | eval contained=if(like(field2, \"%$field1$%\"), \"$raw$\", null())"

Communicator

I tried to apply this logic as I want to check if the values from con_splunkUL exists within con_UL, but for me it seems its checking for a direct match between both fields rather than checking for a match within the whole data set.

| eval MonitoringStatus = if(like(con_splunkUL,"%".con_UL."%"), "Monitored", "Not Monitored") 
0 Karma

New Member

Did you figure this out, i'm having the same issues

0 Karma

Explorer

I have same type of issue there , I want to look into two tables to match fields value if any match found then ignore if no match found then create separate table too display unique values only which comes out of two tables

Here are my tables, Example: If search pick value (353649273) from table A then it should search for match with all values in table B , not look like only one value corresponding to that field.

OrderNumberFailureA OrderNumberFailureB
353649273 353648649
353649184 353648566
353649091 353616829
353649033 353648649
353648797

353648680

353648745

353648730

353638941

353649331

340568517

353638941

353648361

349156251

353649335

353649091

353649240

353649143

353649160

353649092

353649312

353648984

353649091

353649163

353649240

353649092

353649143

353649095

353649008

353648984

353649008

353648794

353648856

353649273

353648796

353648754

353648620

353648594

353648794

353648649

353648685

353648651

353638941

353648610

353649273

353649241

353649163

353616829

353649163

353648754

353649347

353649335

353648748

353648661

353648649

353648754

353648649

353648649

353648984

353648994

353648802

353649263

353648649

353649347

353649240

353649178

353616829

353649092

353648984

353648754

353648768

353648749

353649387

353648680

353648649

353648566

0 Karma

Explorer

Did anyone get a chance to look into this as well

0 Karma

New Member

Its complicated, still didnt get this quite working..

0 Karma

Explorer

I tried using foreach loop but that didn't work. If we think about logic then it says we have to pick value from table A and search for each value in next table(B) which logically should be possible using foreach look to iterate through each value.

Also if this is not possible then can you query like to get count of unique values by appending column 2 into column 1 then check for count more than 1.

But in this case we have to dedup column 1 & 2 before we append them to avoid any discrepancy. Waiting for your comments....

0 Karma

New Member

Even if we append and dedup the results are still different because they are prefixes... the CIDR command can work for only numerical values being an IP address, but for this instance we are using Hex decimals. So at this stage, it is not possible. We tried using the foreach but because we have 30,000 different prefixes... our subsearches were huge and max out..

0 Karma

Explorer

can we store both search queries results into two lookup tables instead of creating normal table, after that can we compare for unique values.

Just a ask

0 Karma

New Member

Yes I did, I used the below.

| eval MonitoringStatus = if(like(upper(con_UL),"%".upper(con_splunkUL)."%"), "Monitored", "Not Monitored")

Also here is another example I used within the same search

| eval Action=if ((MonitoringStatus="Not Monitored")AND(like(Path,"%Hosting%")),"Action Required","No Action Required")
0 Karma

New Member

Regarding this though how would you go about it if you have an index with values...

and you want to check it against a .csv which contains prefixes...

I've currently got a question posted on splunkanswers. https://answers.splunk.com/answers/692085/how-to-match-two-columns-based-on-prefix-numbersle.html#an...

0 Karma

Communicator

Try this:

| eval match=if(match(text,text2),1,0)
| where match=1

As the match command uses a RegEx, you can match one field as RegEx against another field.

From eval docs:

match(SUBJECT, "REGEX")

Revered Legend

You can do something this

your search | eval result=if(like(field2,"%".field1."%"),"Contained","Not Contained")

View solution in original post

Communicator

thanks very much! I was able to get it working with this.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!