Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join fields with partly matching

msrama5
Explorer
‎06-14-2020 08:34 PM

Hi All, I have query below that needs to modified for sub string matching condition -

splunk query:

 

sourcetype=source1 id1="*" OR sourcetype=source2 id2="*" OR sourcetype=source3 id2="*"
Id=coalesce(id1,id2,id3)
| stats count by Id sourcetype
| xyseries Id sourcetype count | fillnull source1 source2 source3 value="Not exists"
| table source1 source2 source3

 

when 
id1=F80C05F3-19AF-40D3-AC73-19544E928D21
id2=XOP-F80C05F3-19AF-40D3-AC73-19544E928D21
id3=ABC-F80C05F3-19AF-40D3-AC73-19544E928D21


The query above needs to be modified for substring matching based on id1 existing in id2 or id3 and it needs to return the results, how can this query below be modified?

Labels (3)
Labels
Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎06-15-2020 02:28 PM 
(sourcetype=source1 id1="*") OR (sourcetype=source2 id2="*") OR (sourcetype=source3 id2="*")
| eval Id=coalesce(id1,id2,id3)
| eval ID=mvindex(split(Id,"-"),-1)
| stats count by ID sourcetype
| xyseries ID sourcetype count |
| fillnull source1 source2 source3 value="Not exists"
| table source1 source2 source3

hi @msrama5 
How about this?

0 Karma
Reply

DalJeanis
Legend
‎06-15-2020 09:33 AM

Is the difference always a prefix that ends with a hyphen?

Is the prefix always three characters?

Is the ID always 36 characters long?

If so, then use this-

| eval matchId=coalesce(id1,id2,id3)
| eval matchId=substr(matchId,len(matchId)-35,36)

 

0 Karma
Reply

msrama5
Explorer
‎06-15-2020 09:23 AM

@to4kawa any ideas on this ?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...