Splunk Search

How to use values of a field as part of regular expressions and match with values in other fields, this being done for a large data-set?

snipedown21
Path Finder

I have tables like below:


                      Personnel Name                                                     Person Name

               First Name       Last Name                                  First Name      Last Name

               Graham              Smith.Jr                                        Emily              Smith
               Brendon              Roy                                           Brendon           Johnson III
               Alicia                  Spinat                                         Norman            Alicia
              Mark                     Twain                                         Justin          Darlington

I want to match either the first name of the personnel name, with the first or last name of the person name or vice versa.
The interest of match here is to know if there is a remote match either in the first name or last name of the personnel and person.
But, I also want my search to eliminate the ".Jr" and "III" while matching and any other initials in the name.

here is what I have:

|table prsnl_name, person_name | eval splitofprsnl=split(prsnl_name,",")| eval field1=mvindex(splitofprsnl,0) | eval field2=mvindex(splitofprsnl,1) | eval splitofperson=split(person_name,",")| eval field3=mvindex(splitofperson,0) | eval field4=mvindex(splitofperson,1) | fields prsnl_name, person_name, field1, field2, field3, field4 | eval field1=trim(field1, " ") | eval field2=trim(field2, " ") | eval field3=trim(field3, " ") | eval field4=trim(field4, " ") | eval n1=if(match(field2,".*field3.*"),1,0) | eval n2=if(match(field3,".*field2.*"),1,0) | eval n3=if(match(field1,".*field4.*"),1,0) | eval n4=if(match(field4,".*field1.*"),1,0)

I'm really new to Splunk and help would be greatly appreciated.
Thank you.

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search |table prsnl_name, person_name 
| rex field=prsnl_name "(?<prsnl_first>.+)\s*,\s*(?<prsnl_last>.+)"
| rex field=person_name "(?<person_first>.+)\s*,\s*(?<person_last>.+)"
| eval n1=if(match(prsnl_name,person_first),1,0) 
| eval n2=if(match(prsnl_name,person_last),1,0) 
| eval n3=if(match(person_name,prsnl_first),1,0) 
| eval n4=if(match(person_name,prsnl_lat),1,0) 

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search |table prsnl_name, person_name 
| rex field=prsnl_name "(?<prsnl_first>.+)\s*,\s*(?<prsnl_last>.+)"
| rex field=person_name "(?<person_first>.+)\s*,\s*(?<person_last>.+)"
| eval n1=if(match(prsnl_name,person_first),1,0) 
| eval n2=if(match(prsnl_name,person_last),1,0) 
| eval n3=if(match(person_name,prsnl_first),1,0) 
| eval n4=if(match(person_name,prsnl_lat),1,0) 
0 Karma

snipedown21
Path Finder

It works just fine. Thank you.
Appreciate it Mate.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...