How to distinguish two similar strings

Marco · ‎04-09-2021

Hello I have two similar strings that I need to differentiate. These are the key words in the String

1. Special

2 Specialist

When they come into Splunk it comes in as a command:

EX:

"Alter User Special"

"Alter User Specialist"

Currently I am using these queries:

host=*| eval SPECIALIST=if(like(EVNTCOMMAND, "% SPECIALIST%"),1,0)| chart sum(SPECIALIST)

host=*| eval SPECIAL=if(like(EVNTCOMMAND, "% SPECIAL%"),1,0)| chart sum(SPECIAL)

I need the % after Special and Specialist because sometimes there is more data after those strings.

Any Suggestions?

Thank you,

Marco

ITWhisperer · ‎04-09-2021

Use match and a regex for special/specialist followed by space or end of line

| makeresults 
| eval _raw="Alter User Special abc
Alter User Specialist
Alter User Specialists
Alter User Special
Alter User Specials
Alter User Specialist xyz"
| multikv noheader=t
| fields _raw
| eval special=if(match(_raw," Special(\s|$)"),true(),null)
| eval specialist=if(match(_raw," Specialist(\s|$)"),true(),null)

Marco · ‎04-13-2021

Thank you,

using the REGEX example i was able to generate a count but since I am not to familiar with REGEX I did it another way.

host=*| eval SPECIAL=if(like(COMMAND, "% SPECIAL") OR like(COMMAND, "% SPECIAL %"),1,0)| chart sum(SPECIAL)

Using an Or statement gets me the same results.

-Marco

How to distinguish two similar strings

eval

regex

stats

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life