Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search a field which contain text from another field?

dordavid
Explorer
‎11-17-2020 03:16 AM

Hey, i want to search a field and get all the results which contain a value from another field.

For example:  I have 2 fields: message and str.

I want to get all the logs which their message field contain the value of str field.

how can i do that?

Labels (2)
Labels
Reply

inventsekar
Super Champion
‎11-17-2020 04:32 AM

Hi @dordavid ... From the post - 

https://community.splunk.com/t5/Splunk-Search/How-to-check-if-a-field-contains-a-value-of-another-fi...

 


your search | eval result=if(like(field2,"%".field1."%"),"Contained","Not Contained")


OR

| where match(field2,field1)

0 Karma
Reply

gcusello
Esteemed Legend
‎11-17-2020 03:27 AM

Hi @dordavid,

let me understand:

  • you have two searches,
  • you want to filter the results of search_1 where a field of search_2 is present.

Only one question: do you want to match field from search 2 with only one field from search_1 or in all the _raw?

In the second case you can use the following search:

your_search_1 [ search your_search_2 | rename field_2 AS query | fields query ]
| ...

 in the first case (if field_1 is the field in the search_1 and field_2 is the field in search_2), try something like this:

your_search_1 [ search your_search_2 | eval field_1="*".field_2."*" | fields field_1 ]
| ...

In this second case the fields in main search and subsearch must have the same name (case sensitive).

Ciao.

Giuseppe

Reply

gcusello
Esteemed Legend
‎11-17-2020 05:32 AM

Hi @dordavid,

try my first solution or the solution by @inventsekar  that's equivalent.

Ciao.

Giuseppe

0 Karma
Reply

dordavid
Explorer
‎11-17-2020 03:59 AM

i will give u an example:

i have a two fields:
1) message
2) str

- lets assume that str contains the string "high cpu".

- i want to search all the logs which their message field contain the value of str: all the logs which their message field contain "high cpu".

-i want to do it dynamically - something like that:
index = a | search message= {str}* //  all logs with message field which contain the content of str field

Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...