Solved: Re: How to match partial values of field a with pa...

innoce · ‎08-29-2023

Hi, I want to match partial values of field a with partial values of field b.. I tried with match/like but no luck..

field a
AA\ABC$
BB\DCE$

field b
A=ABC,B=Domain,C=AB,D=XXX,E=NET
A=DCE,B=Domain,C=AB,D=XXX,E=NET

Now my results should return

field a = field b
ABC = ABC
DCE = DCE

Could someone pls help me on this?

gcusello · ‎08-30-2023

Hi @innoce ,

as @bowesmana said, you have to extract the second value from the second field.

Are you sure about the position of the second value in the second field?

if it's alway after "A=" and always in the beginning of the field, you could use the following regex:

<your_search>
| rex field=b "^A\=(?<A>[^,]*)"
| where a=A

that you can test at https://regex101.com/r/9hePOP/1 othrwise you have to modify the regex but using the same approach.

Ciao.

Giuseppe

View solution in original post

bowesmana · ‎08-29-2023

Are you looking for any length partial match of field a with b?

i.e. if field a is AA\ABC$

and field B is 123456789A987654321

do you want a match because it contains A? which is a partial match?

innoce · ‎08-29-2023

@bowesmana , nope.. let me share the exact example values

field a = AAAAA\ABCDE-SS410009$

field b = A=AAAAA\ABCDE-SS410009,B=Domain,C=AB,D=XXX,E=NET

Now I want to match
field a= AAAAA\ABCDE-SS410009
field b= AAAAA\ABCDE-SS410009
like this

bowesmana · ‎08-30-2023

Sorry, still not sure I get it, you say partial matches of both A and B, so for your second example what are the rules there?

field a = AAAAA\ABCDE-SS410009$
field b = A=AAAAA\ABCDE-SS410009,B=Domain,C=AB,D=XXX,E=NET

Now I want to match
field a= AAAAA\ABCDE-SS410009
field b= AAAAA\ABCDE-SS410009
like this

In the above, you show that all characters up to and excluding the final $ sign are found in B, so you appear to be showing the longest match of A found in B.

So, if A had

AAAAA\ABCDE-PP921234$

would you expect to see AAAAA\ABCDE as a match result

and if A had

BBBBB\ABCDE-SS410009$

would you expect to see ABCDE-SS410009 as a match

Also is the A= part in B related to field 'a'?

gcusello · ‎08-30-2023

Hi @innoce ,

as @bowesmana said, you have to extract the second value from the second field.

Are you sure about the position of the second value in the second field?

if it's alway after "A=" and always in the beginning of the field, you could use the following regex:

<your_search>
| rex field=b "^A\=(?<A>[^,]*)"
| where a=A

that you can test at https://regex101.com/r/9hePOP/1 othrwise you have to modify the regex but using the same approach.

Ciao.

Giuseppe

innoce · ‎08-31-2023

@gcusello , Thanks for the headsup.. as said, I modified the regex..

| rex "fieldb=(?P<fieldb>\w*[\-|\_]\w*)\,"
| rex "fielda\:\s+(?P<fielda_X>\w*\-\w*)\$"
and used the where condition to find matches
| where 'fielda_X'='fieldb'

Its working now as expected..

gcusello · ‎09-01-2023

HI @innoce ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

gcusello · ‎08-31-2023

Hi @innoce,

You don't need quotes id in the field names there isn't any space or special char.

Anyway, good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

yuanliu · ‎08-30-2023

Looks like there is also a trailing "$" in field a.

<your_search>
| rex field=b "^A\=(?<A>[^,]*)"
| where a=A."$"

Something like that.

How to match partial values of field a with partial values of field b ?

Other

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout