Splunk Search

How to distinguish two similar strings

Marco
Communicator

Hello I have two similar strings that I need to differentiate.  These are the key words in the String 

1. Special 

2 Specialist 

When they come into Splunk it comes in as a command:

EX:

"Alter User Special"

"Alter User Specialist" 

Currently I am using these queries:

 

host=*| eval SPECIALIST=if(like(EVNTCOMMAND, "% SPECIALIST%"),1,0)| chart sum(SPECIALIST)

 

 

host=*| eval SPECIAL=if(like(EVNTCOMMAND, "% SPECIAL%"),1,0)| chart sum(SPECIAL)

 

I need the  % after Special and Specialist because sometimes there is more data after those strings.

Any Suggestions?

Thank you,

Marco

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Use match and a regex for special/specialist followed by space or end of line

| makeresults 
| eval _raw="Alter User Special abc
Alter User Specialist
Alter User Specialists
Alter User Special
Alter User Specials
Alter User Specialist xyz"
| multikv noheader=t
| fields _raw
| eval special=if(match(_raw," Special(\s|$)"),true(),null)
| eval specialist=if(match(_raw," Specialist(\s|$)"),true(),null)

Marco
Communicator

Thank you,

using the REGEX example i was able to generate a count but since I am not to familiar with REGEX I did it another way.

host=*| eval SPECIAL=if(like(COMMAND, "% SPECIAL") OR like(COMMAND, "% SPECIAL %"),1,0)| chart sum(SPECIAL)

Using an Or statement gets me the same results. 

-Marco

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...