Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search a field which contain text from another field?

dordavid
Explorer
‎11-17-2020 03:16 AM

Hey, i want to search a field and get all the results which contain a value from another field.

For example:  I have 2 fields: message and str.

I want to get all the logs which their message field contain the value of str field.

how can i do that?

Labels (2)
Labels
Reply

inventsekar
Super Champion
‎11-17-2020 04:32 AM

Hi @dordavid ... From the post - 

https://community.splunk.com/t5/Splunk-Search/How-to-check-if-a-field-contains-a-value-of-another-fi...

 


your search | eval result=if(like(field2,"%".field1."%"),"Contained","Not Contained")


OR

| where match(field2,field1)

0 Karma
Reply

gcusello
Esteemed Legend
‎11-17-2020 03:27 AM

Hi @dordavid,

let me understand:

  • you have two searches,
  • you want to filter the results of search_1 where a field of search_2 is present.

Only one question: do you want to match field from search 2 with only one field from search_1 or in all the _raw?

In the second case you can use the following search:

your_search_1 [ search your_search_2 | rename field_2 AS query | fields query ]
| ...

 in the first case (if field_1 is the field in the search_1 and field_2 is the field in search_2), try something like this:

your_search_1 [ search your_search_2 | eval field_1="*".field_2."*" | fields field_1 ]
| ...

In this second case the fields in main search and subsearch must have the same name (case sensitive).

Ciao.

Giuseppe

Reply

gcusello
Esteemed Legend
‎11-17-2020 05:32 AM

Hi @dordavid,

try my first solution or the solution by @inventsekar  that's equivalent.

Ciao.

Giuseppe

0 Karma
Reply

dordavid
Explorer
‎11-17-2020 03:59 AM

i will give u an example:

i have a two fields:
1) message
2) str

- lets assume that str contains the string "high cpu".

- i want to search all the logs which their message field contain the value of str: all the logs which their message field contain "high cpu".

-i want to do it dynamically - something like that:
index = a | search message= {str}* //  all logs with message field which contain the content of str field

Reply
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...