Splunk Search

How to search a field for text from another field?

Explorer

It seems like this should be something pretty simple to do, so I hope I'm not just overlooking something.

Let's say I have Field_A that contains a full email address and Field_B that contains only a domain. What I'm trying to do is search Field_A and see if the text in Field_B is not found. My first thought was something along the lines of:

where not like(Field_A, %Field_B%)

But those percent wildcards can only be used for a search string... whereas I don't have that.

I hope that makes sense. Thanks!

0 Karma
1 Solution

Revered Legend

You should be able to user WHERE OR search to do this (even with field value). Try something like this

your base search | where NOT LIKE(Field_A,"%".Field_B."%") 

OR 

Your base search | where NOT match(Field_A,".*".Field_B.".*") 

OR 

your base search | search Field_A!=".*".Field_B.".*"

View solution in original post

Revered Legend

You should be able to user WHERE OR search to do this (even with field value). Try something like this

your base search | where NOT LIKE(Field_A,"%".Field_B."%") 

OR 

Your base search | where NOT match(Field_A,".*".Field_B.".*") 

OR 

your base search | search Field_A!=".*".Field_B.".*"

View solution in original post

Explorer

Thanks, I figured I was just goofing something simple up.

I wound up just doing: where NOT match(Field_A, Field_B)

0 Karma

Influencer

Extract domain from Field_A into a new field Field_Domain and then compare it with Field_B. Does that work for you?

0 Karma

Explorer

Unfortunately no. Let me explain a bit more with a better example:

Field_A = m-1hq98whvnq8p6d9ibr2qagqs1ukaz1usy9ozufub8rkr0ur0ji82mw8t0e833@bounce.linkedin.com
Field_B = linkedin.com

If I extracted the domain from Field_A, it would be "bounce.linkedin.com"... What I want to do is basically search Field_A for Field_B and see if it occurs anywhere in the string. If you're familiar with PHP or other similar languages, what I'm looking for is the functionality of the stristr function.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!