Splunk Search

How to compare between individual values from two fields having multiple values ?

Path Finder

I have 2 fields from my search, something like this -
Errorcode, ErrorDescription
Err1, "abcd password is missing xyz"
Err1, "1111 password is missing 222"
Err1, "1233455 connection is not working 6789"

Now I have another field called ErrorCategory which has a list of values like -
Password is missing, Connection is not working ,xxxx, yyyy, jjjj...

I want to compare each value of ErrorDescription with Error Category and the end result should look like this -

ErrorCode, ErrorDescription,ErrorCategory
Err1, "abcd password is missing xyz",Password is missing
Err1, "1111 password is missing 222",Password is missing
Err1, "1233455 connection is not working 6789",Connection is not working

Right now, when I am trying to use match and compare, it is comparing the entire ErrorCatgory list with each value of ErrorDescription, so it is not able to match.

How do I achieve the one on one comparison between fields having multiple values ? Does anyone have any idea how to achieve this ?

0 Karma

Esteemed Legend

Create a lookup file with content like this:

ErrorDescription, ErrorCategory
*Password is missing*,Password is missing
*Connection is not working*,Connection is not working
...,...

Then create a lookup definition which sets WIDLCARD(ErrorDescription) and Ignore Case.
Then just do a lookup like this:

... | lookup YourLookupDefinitionHere ErrorDescription
0 Karma

Path Finder

Anyone has any solution to this ?

0 Karma

Communicator

Do you want to compare only the textpart of ErrorDescription and ErrorCategory?

0 Karma

Path Finder

Yes, compare only text part, ErrorDescription will be more detailed and ErrorCategory will be a short one

0 Karma

SplunkTrust
SplunkTrust

From where does the ErrorCategory field come? Is it a lookup table OR field in your raw data?

0 Karma

Path Finder

@somesoni2 , Yes exactly, the ErrorCategory comes from a lookup file. The lookup has only ErrorCode and ErrorCategory, I need to match the text of the ErrorDescription and assign it to a ErrorCategory.

0 Karma

Path Finder

Actually, to give u more details, this is the command i m using -
index=test (Error* OR fault* OR warning* OR fail*) "searchID"|
| lookup mylookup.csv ErrorCode OUTPUTNEW ErrorCategory | eval match=if(like(ErrorDescription,"%".Error_Category."%"),"Yes","No") | table searchID, ErrorCode, ErrorDescription, ErrorCategory, match

But I am not getting any match, i am getting teh below table output-
ErrorCode, ErrorDescription,ErrorCategory,match
Err1, "abcd password is missing xyz",Password is missing,Connection is not working,xxxx,yyyy,jjjj,no

Basically it is trying to compare the entire list of ErrorCategory against the one ErrorDescription.

0 Karma

Champion

hmm are you matching the case properly?

Like("abcd password is missing xyz") is not equal to Like(Password is missing). ErrorCategory starts with an upper case. Have you tried using something like |eval ErrorCategory=LOWER(ErrorCategory)
And then trying out your match eval?

0 Karma