Splunk Search

Is there a way to check if a field value is present in a transaction?

jluo_splunk
Splunk Employee
Splunk Employee

The transaction command has the options startswith and endswith, but is there a "contains" of some sort that can be used, just to say that somewhere in the transaction there should be some field value?

0 Karma
1 Solution

MattZerfas
Communicator

I have used a regex in a match statement before like below and it seems to work fine. Maybe try that?

startswith=eval(match(eventName,".*SkipFwd"))

View solution in original post

0 Karma

MattZerfas
Communicator

I have used a regex in a match statement before like below and it seems to work fine. Maybe try that?

startswith=eval(match(eventName,".*SkipFwd"))
0 Karma

MattZerfas
Communicator

O then you could just do a |search foo=bar or |where foo=bar after your transaction depending on what you are wanting to look for.

jluo_splunk
Splunk Employee
Splunk Employee

That did it - thank you MattZerfas!

jluo_splunk
Splunk Employee
Splunk Employee

My issue is I don't necessarily want it to start with this field value. I just want to check that the field value is somewhere in there, not necessarily the beginning or the end.

0 Karma

javiergn
Super Champion

Is this what you are talking about?

startswith=eval(match(yourfield,"yourvalue"))
endswith=eval(match(yourfield,"yourvalue"))

You can use regex too or even conditionals inside your eval.
See transaction reference help page.

0 Karma

jluo_splunk
Splunk Employee
Splunk Employee

My issue is I don't necessarily want it to start with this field value. I just want to check that the field value is somewhere in there, not necessarily the beginning or the end.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...