Splunk Search

How to compare a particular word with each and every word in the list of host and get the below output .

AyushiSrivas
Loves-to-Learn

I have a list of below host in a csv

uasws12

usaws120

usaws11

usaws13

susaws13

usaws130

usaws14

usaws15

usaws16

usaws17

usaws173

usaws18

tusaws18

so the output should be following, if there is some preceding and succeeding char(including digits and alphabets), then it should be displayed as the output in another column. Please help me with the query.

Expected Output:-

uasws12

usaws13

usaws17

usaws18

Labels (1)
0 Karma

AyushiSrivas
Loves-to-Learn

I have a list of below host in a csv

uasws12

usaws120

usaws11

usaws13

susaws13

usaws130

usaws14

usaws15

usaws16

usaws17

usaws173

usaws18

tusaws18

so the output should be following, if there is some preceding and succeeding char(including digits or alphabets) like for example uasws12 has its succeeding char as digit 0 i.e uasws120 so it should be come in output, like wise usaws18 has it preceding char as alphabet t i.e. tusaws18 so in that case also it should be displayed in output list . In both the case like if a string is either having preceding and succeeding value or both then it should be outputted, Please help me with the query. this is very urgent.

Expected Output:-

uasws12

usaws13

usaws17

usaws18

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Also let me add that if "this is very urgent" - that's what you pay either your local friendly Splunk partner or Professional Services for. This is a community-driven forum where people voluntarily use their time to help others. And do that in their own time at their own pace.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

To make it easier to understand (and to calculate by a computer), let me restate the problem:


In an array of n elements, select element i if element i+1 contains element i.

 Thus,

| inputlookup hostcsv ``` output host ```
| eval n = mvrange(1, mvcount(host))
| eval output = mvmap(n, if(match(mvindex(host, n), mvindex(host, n-1)), mvindex(host, n-1), null()))

Below is an emulation for you to play around and compare with real data.

| makeresults
| eval host = mvappend("uasws12",
"uasws120",
"usaws11",
"usaws13",
"susaws13",
"usaws130",
"usaws14",
"usaws15",
"usaws16",
"usaws17",
"usaws173",
"usaws18",
"tusaws18")
``` the above emulates 
| inputlookup hostcsv
and outputs host ```
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming there was a typo in your first line, try something like this

| makeresults
| fields - _time
| eval _raw="usaws12
usaws120
usaws11
usaws13
susaws13
usaws130
usaws14
usaws15
usaws16
usaws17
usaws173
usaws18
tusaws188"
| multikv noheader=t
| fields _raw
| eventstats values(_raw) as all
| foreach mode=multivalue all
    [| eval match=if(match(<<ITEM>>,".*"._raw.".*") AND <<ITEM>>!=_raw,"true",match)]
| where isnotnull(match)
| fields _raw
0 Karma

AyushiSrivas
Loves-to-Learn

@ITWhisperer 

Thanks alot, The solution given by you works for me, but one last point i want to use the data coming directly from index i.e like below: -

|tstats count WHERE index=unix by host | sort host | table host

so, in that case what modifications is needed. Pls tell me know , I tried but not getting any output.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Bear in mind that host is treated as a regex so if your host names have special characters in the regex sense then he results might not be quite as expected.

| tstats count WHERE index=unix by host
| sort host
| table host
| eventstats values(host) as all
| foreach mode=multivalue all
    [| eval match=if(match(<<ITEM>>,".*".host.".*") AND <<ITEM>>!=host,"true",match)]
| where isnotnull(match)
| fields host
0 Karma

AyushiSrivas
Loves-to-Learn

@ITWhisperer 

Thanks a lot, it really helped me today, the solution is perfect 😊.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Enough teasing.  Now, please tell us what is the formula?  I see no logical connection between the list and the result.

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...