Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search a field which contain text from another field?

dordavid
Explorer
‎11-17-2020 03:16 AM

Hey, i want to search a field and get all the results which contain a value from another field.

For example:  I have 2 fields: message and str.

I want to get all the logs which their message field contain the value of str field.

how can i do that?

Labels (2)
Labels
Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-17-2020 04:32 AM

Hi @dordavid ... From the post - 

https://community.splunk.com/t5/Splunk-Search/How-to-check-if-a-field-contains-a-value-of-another-fi...

 


your search | eval result=if(like(field2,"%".field1."%"),"Contained","Not Contained")


OR

| where match(field2,field1)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-17-2020 03:27 AM

Hi @dordavid,

let me understand:

  • you have two searches,
  • you want to filter the results of search_1 where a field of search_2 is present.

Only one question: do you want to match field from search 2 with only one field from search_1 or in all the _raw?

In the second case you can use the following search:

your_search_1 [ search your_search_2 | rename field_2 AS query | fields query ]
| ...

 in the first case (if field_1 is the field in the search_1 and field_2 is the field in search_2), try something like this:

your_search_1 [ search your_search_2 | eval field_1="*".field_2."*" | fields field_1 ]
| ...

In this second case the fields in main search and subsearch must have the same name (case sensitive).

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎11-17-2020 05:32 AM

Hi @dordavid,

try my first solution or the solution by @inventsekar  that's equivalent.

Ciao.

Giuseppe

0 Karma
Reply

dordavid
Explorer
‎11-17-2020 03:59 AM

i will give u an example:

i have a two fields:
1) message
2) str

- lets assume that str contains the string "high cpu".

- i want to search all the logs which their message field contain the value of str: all the logs which their message field contain "high cpu".

-i want to do it dynamically - something like that:
index = a | search message= {str}* //  all logs with message field which contain the content of str field

Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...