Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search string in a field ?

isedrof
Engager
‎07-17-2015 01:18 AM

Hello,
i have a 2 lists of clients, the 1st one is "All_Client.csv" which is in a saved like an index and the 2nd is "App_client.csv" which saved as a lookup table.
the both of lists got a fied 'user_name'. the purpose is to get the clients in the 2nd list ( "App_client.csv" ) who doesn't figure in the 1st list ("All_Client.csv").
i have a "wondrful" query which does the work for me
| inputlookup tlog.csv | search NOT user_name="WS*" | search NOT END.DATE.PROFILE<20150708 | search NOT [ search index=* source="listingcollab_ajour.csv" | dedup user_name| table user_name ]

but the problem is when i have some username which does not much 100%. for example whene i have 'Alice ashley' in the first list and in the 2nd list have 'Alice ashly', the query return that the field does not much, and even whene the fisrt name and the second name are not in the same order.
a help plz. and thank you a lot.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎07-18-2015 03:47 PM

Hi Isedrof,

I don't want to be mean nor rude; but like some famous answers member once said: You need to learn to walk, before you run

@rich7177 and @woodcok pointed out some information.

I think it can be done, but it is not worth the effort! Because you would have to get each single value for the user_name normalize them and compare each single character one by one. But as I said, this will take some effort and if I recall the trouble you had just to get this search working ...... Well, see You need to learn to walk, before you run

My suggestion: clean up your data! Have the user_name in all sources to be the same and your done.
Most of my costumers check their data before it will be ingested into Splunk and if the data is not in a useful format (any key=value pair will work fine) they simply reject it. This may be harsh, but it will pay off in the end!

cheer, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎07-18-2015 03:47 PM

Hi Isedrof,

I don't want to be mean nor rude; but like some famous answers member once said: You need to learn to walk, before you run

@rich7177 and @woodcok pointed out some information.

I think it can be done, but it is not worth the effort! Because you would have to get each single value for the user_name normalize them and compare each single character one by one. But as I said, this will take some effort and if I recall the trouble you had just to get this search working ...... Well, see You need to learn to walk, before you run

My suggestion: clean up your data! Have the user_name in all sources to be the same and your done.
Most of my costumers check their data before it will be ingested into Splunk and if the data is not in a useful format (any key=value pair will work fine) they simply reject it. This may be harsh, but it will pay off in the end!

cheer, MuS

Reply
Solved! Jump to solution

isedrof
Engager
‎07-22-2015 02:10 AM

First thank you for your answer,
What i want to say is that i'm working on several hundreds of users , and i'm not responsible of those extraction. so i can not normalize the "user_name" of all users, So i was thinking on a way to optimize that query.. i know that trying to have a result at the first time was not easy and thanks to u for this.

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎07-18-2015 12:16 PM

You are probably looking for Soundex or some variant thereof. I do not believe there is anything like this in Splunk.

I am sure they would take the suggestion to add such a feature seriously if you made it.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-17-2015 08:35 AM

Are you asking for a "fuzzy" match or a way to check if all words in a field are the same, regardless of order (or both)? We can work on the last one but the first one is unlikely to have a good answer.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...