Splunk Search

How to compare 2 values from 1 field in different events and use match or like commands

rahul_jasrotia
Path Finder

Hi Guys,

I have a field say hostname with some values like AAB89786 and AAB89786W in different events. Basically they're the same values but with an extra character, so it can be anything and not just W like mentioned above.
Now i want to compare these 2 values and prevent them from going to the next search as they're the same and not 2 different hostnames. Any clues on how can we do this ?

Tags (2)
0 Karma
1 Solution

HiroshiSatoh
Champion

If you know the format, you can convert hostname.

EX.) ---Convert with sourcetype
(your search)
|eval hostname=case(sourcetype == "A",substr(hostname,1,10),sourcetype == "B",substr(hostname,2,10),hostname)
|stats count by hostname

View solution in original post

0 Karma

HiroshiSatoh
Champion

If you know the format, you can convert hostname.

EX.) ---Convert with sourcetype
(your search)
|eval hostname=case(sourcetype == "A",substr(hostname,1,10),sourcetype == "B",substr(hostname,2,10),hostname)
|stats count by hostname

0 Karma

rahul_jasrotia
Path Finder

The sourcetype is the same and please take at the samples above and provide your inputs.

0 Karma

HiroshiSatoh
Champion

I do not know the condition in this sample.
Please fill in XXXX yourself.

(your search)
|eval hostname=if(XXXX,substr(hostname,1,len(hostname)-1),hostname)

0 Karma

koshyk
Super Champion

any chance of putting some sample events?

0 Karma

rahul_jasrotia
Path Finder

Please find the sample below, have masked the ip and mac address .
Now the hostnames under () i.e AAB89786W and AAB89786 are the same but Splunk is treating them differently and I need to solve this thing.

<30>Jul 19 08:38:34 xxxx057-3dc-xxxxx.net.xxxx.com dhcpd[22174]: DHCPACK on 1d.xx.33.181 to e4:a4:71:24:xx:6d (AAB89786W ) via eth2 relay 10.dd.dd.pp lease-duration 43200 (RENEW) uid xx:00:xx:5d:21:1f:xx
<30>Jul 19 08:22:06 xxxx059-3dc-xxxxxx.net.xxxx.com dhcpd[11241]: DHCPACK on 1d.xx.xx.231 to 08:xx:41:e6:cb:xx (Treo-xxx) via eth2 relay 10.cc.mm.1 lease-duration 432000 (RENEW) uid 01:08:xx:41:e6:xx
<30>Jul 19 08:15:17 nl00059-3dc-nsdhcp02.net.xxxx.com dhcpd[11241]: DHCPACK on 1d.56.xx.xxx to 08:6d:xx:e6:xx(idb25) via eth2 relay 1x.56.xx.1 lease-duration 3600 (RENEW) uid zz:08:6d:xx:e6:cb:a1
<30>Jul 19 08:02:28 nl00059-3dc-nsdhcp02.net.xxxx.com dhcpd[11241]: DHCPACK on 10.29.33.3 to e4:xx:71:xx:b4:6d (AAB89786W) via eth2 relay 1x.29.xx.12 lease-duration 3600 uid 01:xx:a4:xx:24:xx:6d

0 Karma

rahul_jasrotia
Path Finder

the sample hasn't come out well, request you to please treat as a new event whenever you find a timestamp.

0 Karma

niketn
Legend

@rahul_jasrotia, you can post the Events using the code button here i.e. 101010 to make sure data does not get escaped.

Is the length for field value constant? Is there only one additional character in the other event or can they be more?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rahul_jasrotia
Path Finder

1.No the length is not constant
2. Yes only 1 character is appended in the end.

0 Karma

niketn
Legend

I see the following 4 events in your example, if I filter each event with timestamp. However, two out of the 4 events provided have the host field your are interested in, and both are AAB89786W. As per your question they should be AAB89786 and AAB89786W. Are your sure you have not missed any other required event?

Jul 19 08:38:34 xxxx057-3dc-xxxxx.net.xxxx.com dhcpd[22174]: DHCPACK on 1d.xx.33.181 to e4:a4:71:24:xx:6d (AAB89786W ) via eth2 relay 10.dd.dd.pp lease-duration 43200 (RENEW) uid xx:00:xx:5d:21:1f:xx 

Jul 19 08:22:06 xxxx059-3dc-xxxxxx.net.xxxx.com dhcpd[11241]: DHCPACK on 1d.xx.xx.231 to 08:xx:41:e6:cb:xx (Treo-xxx) via eth2 relay 10.cc.mm.1 lease-duration 432000 (RENEW) uid 01:08:xx:41:e6:xx 

Jul 19 08:15:17 nl00059-3dc-nsdhcp02.net.xxxx.com dhcpd[11241]: DHCPACK on 1d.56.xx.xxx to 08:6d:xx:e6:xx(idb25) via eth2 relay 1x.56.xx.1 lease-duration 3600 (RENEW) uid zz:08:6d:xx:e6:cb:a1 

Jul 19 08:02:28 nl00059-3dc-nsdhcp02.net.xxxx.com dhcpd[11241]: DHCPACK on 10.29.33.3 to e4:xx:71:xx:b4:6d (AAB89786W) via eth2 relay 1x.29.xx.12 lease-duration 3600 uid 01:xx:a4:xx:24:xx:6d

It would be easier for us to assist if you just provide the two events where AAB89786W and AAB89786 are present. So that we do not confuse them with unwanted sample.
Kindly make sure you post events using the code button (101010) on Splunk Answers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...