Splunk Search

How to write a search to find values similar to a certain string?

mgrosholz
Path Finder

Case Scenario:
The search string is "google"
The results should find g0ogle, go0gle, gogle, gooogle, etc...

I have searched all documentation and Splunk Answers. Any ideas?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You could try match.

... | where match(field, "g[0o]+gle") | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

mgrosholz
Path Finder

I wanted to add a comment since this idea is hard to find an answer to among the forums and online.

The accepted answer worked because I had fields to pivot off of.

The function works by matching a regex string you define in the second parameter of the function to the field assigned in the first parameter of the function.

If I did not have a field to look into, the only other viable option would be to work with the regex _raw commands until they worked.

In my scenario, I needed to then pull this information out and check for anomalies.

i.e. When is someone visiting those abnormal Google sites. For this, I used the stats command.

Thank you Ninjas for all of your responses.

0 Karma

sundareshr
Legend

How about this

| regex _raw "([gG][0oO]+[gG]le)"
0 Karma

mgrosholz
Path Finder

This query had less false positives than the first regex _raw but it still pulled up a lot of unwanted entries.

I am not sure why since it does not have any wildcards in between characters.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You could try match.

... | where match(field, "g[0o]+gle") | ...
---
If this reply helps you, Karma would be appreciated.

mgrosholz
Path Finder

This query does not pull up any results. I have looked into match before and used "where like"; which did not pull up the correct results.

I know "where" looks for combinations of values, variables, operators, and functions that represent the value of the search parameters but I am getting lost in the syntax. It looks like you may use some regex within the second parameter of the function.

Could you explain the "where match" function? Maybe that may help in troubleshooting.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You are correct in that the second argument to match is a regular expression. In my example, we're looking for the letter 'g' followed by any number of '0' or 'o' characters and ending with 'gle'. Prepending the '(?i)' flag would make the expression case-insensitive.
Like you, I've had better results with like, but that won't work in this instance.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mgrosholz
Path Finder

Thank you for the response and explanation. This ended up working.

I had to work with my field option and append some regex to get exactly what I needed.

0 Karma

somesoni2
Revered Legend

Give this a try

your base search | regex _raw=".*(?i)g+o+g+l+e+.*"
0 Karma

mgrosholz
Path Finder

This query pulls up all entries. For example, if I am looking up google.com, it pulls everything from IP's starting at zero to URL's starting with z.

I know the "+" symbol means one or more of that character, ".*" essentially means capture all, and "(?i) equates to case insensitive mode.

But it seems the search is pulling the string and every character in between.

0 Karma

somesoni2
Revered Legend

Do you have the URL extracted as a field? Also, can you post some sample log entries including ones you want to match and one you don't want to match.

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...