Re: How to find the most matching result?

CcCcCcCcCc1 · ‎09-02-2016

Dear all Splunkers

I'm a newbie for splunk and quite frustrated any method can do somekind of compare/find the most matching result in search?

Here are the situation, allow user input a value with XXXX-XXXX-XXXX-XXXX-XXXX standard and match with below ID

ID  
AAAA-BBBB-CCCC-DDDD 
AAAA-BBBB-CCCC  
AAAA-BBBB

what i want find the most matching result

for Example input AAAA-BBBB-XXXX-YYYY-ZZZZ

ID  
AAAA-BBBB-CCCC-DDDD -> No match result
AAAA-BBBB-CCCC       -> No match result
AAAA-BBBB             -> Match with AAAA-BBBB -->> return some value

Another Example input AAAA-BBBB-CCCC-YYYY-ZZZZ

ID  
AAAA-BBBB-CCCC-DDDD     -> No match result
AAAA-BBBB-CCCC        -> Match with AAAA-BBBB-CCCC -->> return some value
AAAA-BBBB              -> No need to match with this

Tried to split the text first but no idea whats next.

Should i use isnull or multisearch?? hope your can give me some hints on that 🙂 cheers

jkat54 · ‎09-03-2016

Use the regex command:

... | regex aaaaa-bbbbb-ccccc

Etc

https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Regex

sundareshr · ‎09-02-2016

Here is a runanywhere sample that you can try.

| makeresults | eval x=" AAAA-BBBB-CCCC-DDDD;AAAA-BBBB-CCCC;AAAA-BBBB" | makemv x delim=";" | mvexpand x | eval y="AAAA-BBBB-CCCC-YYYY-ZZZZ" | eval m=if(match(y, x."*"), "y", "n") | makemv x delim="-" | where m="y" | eventstats max(eval(mvcount(x))) as max  | where mvcount(x) = max

How to find the most matching result?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms