Re: Join fields with partly matching

msrama5 · ‎06-14-2020

Hi All, I have query below that needs to modified for sub string matching condition -

splunk query:

sourcetype=source1 id1="*" OR sourcetype=source2 id2="*" OR sourcetype=source3 id2="*"
Id=coalesce(id1,id2,id3)
| stats count by Id sourcetype
| xyseries Id sourcetype count | fillnull source1 source2 source3 value="Not exists"
| table source1 source2 source3

when
id1=F80C05F3-19AF-40D3-AC73-19544E928D21
id2=XOP-F80C05F3-19AF-40D3-AC73-19544E928D21
id3=ABC-F80C05F3-19AF-40D3-AC73-19544E928D21

The query above needs to be modified for substring matching based on id1 existing in id2 or id3 and it needs to return the results, how can this query below be modified?

to4kawa · ‎06-15-2020

(sourcetype=source1 id1="*") OR (sourcetype=source2 id2="*") OR (sourcetype=source3 id2="*")
| eval Id=coalesce(id1,id2,id3)
| eval ID=mvindex(split(Id,"-"),-1)
| stats count by ID sourcetype
| xyseries ID sourcetype count |
| fillnull source1 source2 source3 value="Not exists"
| table source1 source2 source3

hi @msrama5
How about this?

DalJeanis · ‎06-15-2020

Is the difference always a prefix that ends with a hyphen?

Is the prefix always three characters?

Is the ID always 36 characters long?

If so, then use this-

| eval matchId=coalesce(id1,id2,id3)
| eval matchId=substr(matchId,len(matchId)-35,36)

msrama5 · ‎06-15-2020

@to4kawa any ideas on this ?

Join fields with partly matching

stats

subsearch

table

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?