Splunk Search

Splunk query to filter logs

alexspunkshell
Contributor

In my search result i am getting AD & Login locations.

Now I want to filter result, if both AD and Login locations are same. 

Please help me with splunk query

alexspunkshell_0-1615275899740.png

@soutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @bowesmana   @to4kawa 

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @alexspunkshell,

Please try this;

| rex field=login_location "(?<logloc>\w\w$)"
| rex field=AD_location "(?<adloc>\w\w$)"
| fillnull value="-" adloc logloc
| where logloc=adloc
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @alexspunkshell,

Please try this;

| rex field=login_location "(?<logloc>\w\w$)"
| rex field=AD_location "(?<adloc>\w\w$)"
| fillnull value="-" adloc logloc
| where logloc=adloc
If this reply helps you an upvote and "Accept as Solution" is appreciated.

ITWhisperer
SplunkTrust
SplunkTrust

Assuming last two letters are the location you are interested in

| rex field=login_location "(?<logloc>\w\w$)"
| rex field=AD_location "(?<adloc>\w\w$)"
| where logloc=adloc

alexspunkshell
Contributor

@ITWhisperer This query also filters if logon & Ad location is empty. 

But I need to captured in result if those fields are empty. Could you plz help here. 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...