Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search if a string exists in a variable number of columns?

Kukkadapu
Path Finder
‎04-19-2016 10:41 AM

Hi,

I have multiple columns (number of columns may vary) and wanted to search a string if it exists in any of the columns. How do I do this using a simple search?

Log example: There are three statements

Id_1="abc" Id_2="xyz"  Id_3="123"  Id_4="abcd"  Id_5="abc"  Id_6="abc"
Id_1="abc" Id_2="xyz"  Id_3="123"  
Id_1="abc" Id_2="123"  Id_3="123"  Id_4="abcd"  Id_5="abc"  Id_6="abc" Id_7="123"

I've used the table command like this: | table Id_* to get a table of Id's
OUTPUT for the above search:

Id_1="abc" Id_2="xyz"  Id_3="123"  Id_4="abcd"  Id_5="abc"  Id_6="abc" Id_7="xyz"
Id_1="abc" Id_2="xyz"  Id_3="123"  Id_4=null         Id_5=null    Id_6=null    Id_7=null
Id_1="abc" Id_2="123"  Id_3="123"  Id_4="abcd"  Id_5="abc"  Id_6="abc" Id_7="123"

Now I wanted to search/get the records where Id_* is "xyz" . Can you help me with the search?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎04-19-2016 12:03 PM

If you just want the field names you could use something like this instead (not tested so play around with the quotes):

| eval fieldnames = ""
| foreach Id_* [eval fieldnames = if(match(<<FIELD>>, "xyz"), "<<FIELD>>" . fieldnames, fieldnames)]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎04-19-2016 12:03 PM

If you just want the field names you could use something like this instead (not tested so play around with the quotes):

| eval fieldnames = ""
| foreach Id_* [eval fieldnames = if(match(<<FIELD>>, "xyz"), "<<FIELD>>" . fieldnames, fieldnames)]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Kukkadapu
Path Finder
‎04-19-2016 12:59 PM

Perfect , This worked. It created a new column - "fieldnames" with the original column name. I could just search the new column which has no nulls.

Thanks for your time Javiergn.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎04-19-2016 11:09 AM

You could add "xyz" to you search. Like this index=* "xyz" | table id_*

Reply
Solved! Jump to solution

Kukkadapu
Path Finder
‎04-19-2016 11:36 AM

Hi Sundareshr, Yeah , but the search string is also going to be in the other columns. I wanted to search only in the column Id_*

Thanks

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎04-19-2016 11:51 AM

Try this

.. | table id_* | foreach ID_* [eval x=<<MATCHSTR>>."@@@"] | search x="xyz"
0 Karma
Reply
Solved! Jump to solution

Kukkadapu
Path Finder
‎04-19-2016 12:00 PM

Can you explain the query please? I'm seeing this error

Failed to parse templatized search for field 'Id_1'
Failed to parse templatized search for field 'Id_2'
Failed to parse templatized search for field 'Id_3'
Failed to parse templatized search for field 'Id_4'

Thanks

0 Karma
Reply
The Latest From the Splunk Community!