Solved: How to write a search with the condition "if field...

karthikmalla · ‎11-29-2016

Hello,

I am aware of the following search syntax

field1 = *something*
field1 = field2
field1 != field2

But I wish to write something like:

field1 != *field2* but this is typically meant to search if field2 doesn't contain field1, but instead it's just searching field2 as text as it's set within asterisks.

Can anyone provide me the syntax to search with this criteria? Thanks

gokadroid · ‎11-29-2016

Can you check the match function here which might be what u r looking for:
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/CommonEvalFunctions

OR few possible combinations for matching two fields are here
https://answers.splunk.com/answers/315143/how-to-search-a-field-for-text-from-another-field.html

Updating answer as per the comments

your base search | where NOT LIKE(Field1,"%".Field2."%")

OR

Your base search | where NOT match(Field1,".*".Field2.".*")

OR

 your base search | search Field1!=".*".Field2.".*"

View solution in original post

yepyepyayyooo · ‎12-30-2019

No one answered karthikmalla question. He wanted to to return or filter results where field1 is present NOT present within field2. An example of why this is necessary is when field 2 is an array. For example:

Field1=1.1.1.1
Field2= 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4

So he needs to be able to search within Field2 and see if any of the values match the Field1 value or values.

jkat54 · ‎11-29-2016

After much hair pulling with the trust (to be read as the last hour of my life), I've decided I'm going to share a custom spl command and instructions on how to use it. In the morning though, not tonight.

gokadroid · ‎11-29-2016

Can you check the match function here which might be what u r looking for:
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/CommonEvalFunctions

OR few possible combinations for matching two fields are here
https://answers.splunk.com/answers/315143/how-to-search-a-field-for-text-from-another-field.html

Updating answer as per the comments

your base search | where NOT LIKE(Field1,"%".Field2."%")

OR

Your base search | where NOT match(Field1,".*".Field2.".*")

OR

 your base search | search Field1!=".*".Field2.".*"

jkat54 · ‎11-30-2016

Only this won't work if field2 has _ or %.

puneethgowda · ‎11-29-2016

index=A | where like(Field, "%something%")

puneethgowda · ‎11-29-2016

index=A | where NOT like(field1, "%H%")

karthikmalla · ‎11-29-2016

@puneethgowda - I am not sure if you understood my question. I believe %something% and %H% will search something that's a static text, I need to search within a dynamic field. Can you please read my question once again? thanks

gokadroid · ‎11-29-2016

Did u check the @somesoni2's answer in the second link i Posted. It has exactly what u need. Let me repaste his answer there, here too:

your base search | where NOT LIKE(Field_A,"%".Field_B."%") 

 OR 

 Your base search | where NOT match(Field_A,".*".Field_B.".*") 

 OR 

 your base search | search Field_A!=".*".Field_B.".*"

How to write a search with the condition "if field1 NOT LIKE field2"?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!