Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If a field includes certain number of predefined strings?

splunkerer
Path Finder
‎05-19-2021 10:43 PM

Hi,

data set to search in field1:  ("foo", "bar", execute", "thanx", "tax", "trade" )

if field1 includes any random 3 of the strings in the data set, It will show up in the search result.

1. field1 = " book car test sell buy trade execute". -- > WONT match at least tree of the items in the data set.

2. field1="book bar execute tax test". --> WILL match since "bar", "execute" and "tax" are included in field1

3. field1="test foo exec bar car". --> WONT match at least tree of the items in the data set.

Please let me know how I can do it.

Thanks,

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2021 11:55 PM

Assuming the data set you want to match against is a mv-field and the fields you want to check are space delimited, you could try this:

| makeresults 
| eval dataset=split("foo,bar,execute,thanx,tax,trade",",")
| eval field1=split("book car test sell buy trade execute|book bar execute tax test|test foo exec bar car","|")
| mvexpand field1


| eval mvfield1=split(field1," ")
| eval tomatch=mvjoin(dataset,"|")
| nomv tomatch
| eval mvfieldmatched=mvcount(mvmap(mvfield1,if(match(mvfield1,tomatch),mvfield1,null)))

Split the field to be searched into a mv-field and join the match dataset with "|" to create a regex. Then for each word in the mv-field see if it matches anything in the list, and count the matches. If you need to count a match only once e.g. trade is repeated, then you could wrap the mvmap in mvdedup i.e. mvcount(mvdedup(mvmap(...)))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-19-2021 11:55 PM

Assuming the data set you want to match against is a mv-field and the fields you want to check are space delimited, you could try this:

| makeresults 
| eval dataset=split("foo,bar,execute,thanx,tax,trade",",")
| eval field1=split("book car test sell buy trade execute|book bar execute tax test|test foo exec bar car","|")
| mvexpand field1


| eval mvfield1=split(field1," ")
| eval tomatch=mvjoin(dataset,"|")
| nomv tomatch
| eval mvfieldmatched=mvcount(mvmap(mvfield1,if(match(mvfield1,tomatch),mvfield1,null)))

Split the field to be searched into a mv-field and join the match dataset with "|" to create a regex. Then for each word in the mv-field see if it matches anything in the list, and count the matches. If you need to count a match only once e.g. trade is repeated, then you could wrap the mvmap in mvdedup i.e. mvcount(mvdedup(mvmap(...)))

0 Karma
Reply
Solved! Jump to solution

splunkerer
Path Finder
‎05-29-2021 07:43 PM

Thanks a lot @ITWhisperer, your solutions are the best as always. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...