Re: SPLUNK JOIN FIELDS WITH PARTLY MATCHING

msrama5 · ‎06-14-2020

Hi All, I have query below that needs to modified for sub string matching condition -

splunk query:

sourcetype=source1 id1="*" OR sourcetype=source2 id2="*" OR sourcetype=source3 id2="*"
Id=coalesce(id1,id2,id3)
| stats count by Id sourcetype
| xyseries Id sourcetype count | fillnull source1 source2 source3 value="Not exists"
| table source1 source2 source3

when
id1=F80C05F3-19AF-40D3-AC73-19544E928D21
id2=XOP-F80C05F3-19AF-40D3-AC73-19544E928D21
id3=ABC-F80C05F3-19AF-40D3-AC73-19544E928D21

The query above needs to be modified for substring matching based on id1 existing in id2 or id3 and it needs to return the results, how can this query below be modified?

to4kawa · ‎06-15-2020

(sourcetype=source1 id1="*") OR (sourcetype=source2 id2="*") OR (sourcetype=source3 id2="*")
| eval Id=coalesce(id1,id2,id3)
| eval ID=mvindex(split(Id,"-"),-1)
| stats count by ID sourcetype
| xyseries ID sourcetype count |
| fillnull source1 source2 source3 value="Not exists"
| table source1 source2 source3

hi @msrama5
How about this?

DalJeanis · ‎06-15-2020

Is the difference always a prefix that ends with a hyphen?

Is the prefix always three characters?

Is the ID always 36 characters long?

If so, then use this-

| eval matchId=coalesce(id1,id2,id3)
| eval matchId=substr(matchId,len(matchId)-35,36)

msrama5 · ‎06-15-2020

@to4kawa any ideas on this ?

Join fields with partly matching

stats

subsearch

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation