Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Join fields with partly matching

msrama5
Explorer
‎06-14-2020 08:34 PM

Hi All, I have query below that needs to modified for sub string matching condition -

splunk query:

 

sourcetype=source1 id1="*" OR sourcetype=source2 id2="*" OR sourcetype=source3 id2="*"
Id=coalesce(id1,id2,id3)
| stats count by Id sourcetype
| xyseries Id sourcetype count | fillnull source1 source2 source3 value="Not exists"
| table source1 source2 source3

 

when 
id1=F80C05F3-19AF-40D3-AC73-19544E928D21
id2=XOP-F80C05F3-19AF-40D3-AC73-19544E928D21
id3=ABC-F80C05F3-19AF-40D3-AC73-19544E928D21


The query above needs to be modified for substring matching based on id1 existing in id2 or id3 and it needs to return the results, how can this query below be modified?

Labels (3)
Labels
Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎06-15-2020 02:28 PM 
(sourcetype=source1 id1="*") OR (sourcetype=source2 id2="*") OR (sourcetype=source3 id2="*")
| eval Id=coalesce(id1,id2,id3)
| eval ID=mvindex(split(Id,"-"),-1)
| stats count by ID sourcetype
| xyseries ID sourcetype count |
| fillnull source1 source2 source3 value="Not exists"
| table source1 source2 source3

hi @msrama5 
How about this?

0 Karma
Reply

DalJeanis
Legend
‎06-15-2020 09:33 AM

Is the difference always a prefix that ends with a hyphen?

Is the prefix always three characters?

Is the ID always 36 characters long?

If so, then use this-

| eval matchId=coalesce(id1,id2,id3)
| eval matchId=substr(matchId,len(matchId)-35,36)

 

0 Karma
Reply

msrama5
Explorer
‎06-15-2020 09:23 AM

@to4kawa any ideas on this ?

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...