Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search a field which contain text from another field?

dordavid
Explorer
‎11-17-2020 03:16 AM

Hey, i want to search a field and get all the results which contain a value from another field.

For example:  I have 2 fields: message and str.

I want to get all the logs which their message field contain the value of str field.

how can i do that?

Labels (2)
Labels
Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-17-2020 04:32 AM

Hi @dordavid ... From the post - 

https://community.splunk.com/t5/Splunk-Search/How-to-check-if-a-field-contains-a-value-of-another-fi...

 


your search | eval result=if(like(field2,"%".field1."%"),"Contained","Not Contained")


OR

| where match(field2,field1)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-17-2020 03:27 AM

Hi @dordavid,

let me understand:

  • you have two searches,
  • you want to filter the results of search_1 where a field of search_2 is present.

Only one question: do you want to match field from search 2 with only one field from search_1 or in all the _raw?

In the second case you can use the following search:

your_search_1 [ search your_search_2 | rename field_2 AS query | fields query ]
| ...

 in the first case (if field_1 is the field in the search_1 and field_2 is the field in search_2), try something like this:

your_search_1 [ search your_search_2 | eval field_1="*".field_2."*" | fields field_1 ]
| ...

In this second case the fields in main search and subsearch must have the same name (case sensitive).

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎11-17-2020 05:32 AM

Hi @dordavid,

try my first solution or the solution by @inventsekar  that's equivalent.

Ciao.

Giuseppe

0 Karma
Reply

dordavid
Explorer
‎11-17-2020 03:59 AM

i will give u an example:

i have a two fields:
1) message
2) str

- lets assume that str contains the string "high cpu".

- i want to search all the logs which their message field contain the value of str: all the logs which their message field contain "high cpu".

-i want to do it dynamically - something like that:
index = a | search message= {str}* //  all logs with message field which contain the content of str field

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...