Splunk Search

How to search string in a field ?

isedrof
Engager

Hello,
i have a 2 lists of clients, the 1st one is "All_Client.csv" which is in a saved like an index and the 2nd is "App_client.csv" which saved as a lookup table.
the both of lists got a fied 'user_name'. the purpose is to get the clients in the 2nd list ( "App_client.csv" ) who doesn't figure in the 1st list ("All_Client.csv").
i have a "wondrful" query which does the work for me
| inputlookup tlog.csv | search NOT user_name="WS*" | search NOT END.DATE.PROFILE<20150708 | search NOT [ search index=* source="listingcollab_ajour.csv" | dedup user_name| table user_name ]

but the problem is when i have some username which does not much 100%. for example whene i have 'Alice ashley' in the first list and in the 2nd list have 'Alice ashly', the query return that the field does not much, and even whene the fisrt name and the second name are not in the same order.
a help plz. and thank you a lot.

0 Karma
1 Solution

MuS
Legend

Hi Isedrof,

I don't want to be mean nor rude; but like some famous answers member once said: You need to learn to walk, before you run

@rich7177 and @woodcok pointed out some information.

I think it can be done, but it is not worth the effort! Because you would have to get each single value for the user_name normalize them and compare each single character one by one. But as I said, this will take some effort and if I recall the trouble you had just to get this search working ...... Well, see You need to learn to walk, before you run

My suggestion: clean up your data! Have the user_name in all sources to be the same and your done.
Most of my costumers check their data before it will be ingested into Splunk and if the data is not in a useful format (any key=value pair will work fine) they simply reject it. This may be harsh, but it will pay off in the end!

cheer, MuS

View solution in original post

MuS
Legend

Hi Isedrof,

I don't want to be mean nor rude; but like some famous answers member once said: You need to learn to walk, before you run

@rich7177 and @woodcok pointed out some information.

I think it can be done, but it is not worth the effort! Because you would have to get each single value for the user_name normalize them and compare each single character one by one. But as I said, this will take some effort and if I recall the trouble you had just to get this search working ...... Well, see You need to learn to walk, before you run

My suggestion: clean up your data! Have the user_name in all sources to be the same and your done.
Most of my costumers check their data before it will be ingested into Splunk and if the data is not in a useful format (any key=value pair will work fine) they simply reject it. This may be harsh, but it will pay off in the end!

cheer, MuS

isedrof
Engager

First thank you for your answer,
What i want to say is that i'm working on several hundreds of users , and i'm not responsible of those extraction. so i can not normalize the "user_name" of all users, So i was thinking on a way to optimize that query.. i know that trying to have a result at the first time was not easy and thanks to u for this.

0 Karma

Richfez
SplunkTrust
SplunkTrust

You are probably looking for Soundex or some variant thereof. I do not believe there is anything like this in Splunk.

I am sure they would take the suggestion to add such a feature seriously if you made it.

0 Karma

woodcock
Esteemed Legend

Are you asking for a "fuzzy" match or a way to check if all words in a field are the same, regardless of order (or both)? We can work on the last one but the first one is unlikely to have a good answer.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...