How to distinguish two similar strings

Marco · ‎04-09-2021

Hello I have two similar strings that I need to differentiate. These are the key words in the String

1. Special

2 Specialist

When they come into Splunk it comes in as a command:

EX:

"Alter User Special"

"Alter User Specialist"

Currently I am using these queries:

host=*| eval SPECIALIST=if(like(EVNTCOMMAND, "% SPECIALIST%"),1,0)| chart sum(SPECIALIST)

host=*| eval SPECIAL=if(like(EVNTCOMMAND, "% SPECIAL%"),1,0)| chart sum(SPECIAL)

I need the % after Special and Specialist because sometimes there is more data after those strings.

Any Suggestions?

Thank you,

Marco

ITWhisperer · ‎04-09-2021

Use match and a regex for special/specialist followed by space or end of line

| makeresults 
| eval _raw="Alter User Special abc
Alter User Specialist
Alter User Specialists
Alter User Special
Alter User Specials
Alter User Specialist xyz"
| multikv noheader=t
| fields _raw
| eval special=if(match(_raw," Special(\s|$)"),true(),null)
| eval specialist=if(match(_raw," Specialist(\s|$)"),true(),null)

Marco · ‎04-13-2021

Thank you,

using the REGEX example i was able to generate a count but since I am not to familiar with REGEX I did it another way.

host=*| eval SPECIAL=if(like(COMMAND, "% SPECIAL") OR like(COMMAND, "% SPECIAL %"),1,0)| chart sum(SPECIAL)

Using an Or statement gets me the same results.

-Marco

How to distinguish two similar strings

eval

regex

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!