Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Matching several strings in a field

gelspas
Explorer
‎09-16-2021 07:12 AM

I have a field (FIELD1) that may contain one of several strings.  These strings may appear in different locations within FIELD1.  I would like to select all records where FIELD1 contains any of these strings.

Example of 4 strings:   "ABC(Z"   "DEF(Z"   "GHIJK (Z" "LMNOP (Z"

What is an efficient method for selecting any records that contain any one of these strings in any location within FIELD1?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-16-2021 11:46 PM

Hi @gelspas,

if you're not interested to know which string is found, you could use the regex command to search those strings:

| regex FIELD1="(\"ABC\(Z\")|(\"DEF\(Z\")|(\"GHIJK \(Z\")|(\"LMNOP \(Z\")"

My hint is to use the lookup solution so you'll have a dynamic solution instead to have the strings to search in the code.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-16-2021 07:21 AM

Hi @gelspas,

if you have a limited number of strings, you could use a regex like this:

| rex field=FIELD1 "(?<your_string>(\"ABC\(Z\")|(\"DEF\(Z\")|(\"GHIJK \(Z\")|(\"LMNOP \(Z\"))"

putting much attention when you write the strings to search.

In this way, when one of the strings is present, you have that string in the field your_string. otherwise the field is empty.

If instead you have many strings, you could put them in a lookup, called e.g. "patterns.csv", with one field called "pattern" and run a search like this:

index=your-index [ | inputlookup patterns.csv | rename pattern AS query | fields query ]
| ...

in this way you use the strings in the lookup to filter your events.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gelspas
Explorer
‎09-16-2021 08:38 AM

Thank you but I do not think this rex accomplishes what I need or perhaps I am reading it wrong?  My regex knowledge is not strong.

I only wish to keep records where FIELD1 contains one of the 4 strings.  

In the example below only the first two records should be kept because they match on ABC(Z and GHIJK(Z.  The third record would not match.

Examples of  FIELD1:  

Record 1: 09162021 CMDONE ABC(Z123456) MORE TEXT

Record 2: 09152021 CMD TWO GHIJK(ZABC123) MORE TEXT

Record 3: 09162021 CMD3 LMNO(A1234BD) MORE TEXT

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-16-2021 11:46 PM

Hi @gelspas,

if you're not interested to know which string is found, you could use the regex command to search those strings:

| regex FIELD1="(\"ABC\(Z\")|(\"DEF\(Z\")|(\"GHIJK \(Z\")|(\"LMNOP \(Z\")"

My hint is to use the lookup solution so you'll have a dynamic solution instead to have the strings to search in the code.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gelspas
Explorer
‎09-17-2021 03:19 AM

This worked.  I just had to remove the quotes around the strings since I was not looking for them.

regex FIELD1="(ABC\(Z) | (DEF\(Z) | (GHIJK\(Z) | (LMNOP\(Z)"

Thank you 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...