Splunk Search
Highlighted

Trying to find if at least one value of a multivalue field matches another field

Communicator

Hello,
I am trying to figure out how to check if inside a list of paths that are inside a multivalue field there is one that matches another field.

For example

eventfield=/opt/aaa/bbb/ccc
multivalue
field=/tmp/aaa/zzz ; /var/log/syslog; /opt/aaa/bbb ; /lb/tools/java

In the above example the third value of the multivaluefield matches the eventfield, because /opt/aaa/bbb is part of event_field.
It would be nice not to use mvexpand...

Thanks in advance.

Highlighted

Re: Trying to find if at least one value of a multivalue field matches another field

SplunkTrust
SplunkTrust

Is there any reason you don't want to use mvexpand? It becomes quite tricky without it as far as I can think of.
Give the following code a code and let me know if that performs well or you really want to avoid mvexpand at all cost.

your base search
| mvexpand multivalue_field
| eval find_match = if(match(event_field, multivalue_field), 1, 0)
| stats values(event_field) as event_field, values(multivalue_field) as multivalue_field, max(find_match) as find_match

You could use mvfilter but then you need a way to hardcode the value of the path you are looking for as it won't take two variables as arguments:

your base search
| eval is_match = mvfilter(match("/opt/aaa/bbb/ccc", multivalue_field))
0 Karma
Highlighted

Re: Trying to find if at least one value of a multivalue field matches another field

Legend

Not sure you need the mvexpand. Try without, should work just as well.

your base search
 | eval find_match = if(match(event_field, multivalue_field), 1, 0)
0 Karma
Highlighted

Re: Trying to find if at least one value of a multivalue field matches another field

SplunkTrust
SplunkTrust

I'm afraid it doesn't.

| stats count | fields - count
| eval event_field="/opt/aaa/bbb/ccc"
| eval multivalue_field="/tmp/aaa/zzz ; /var/log/syslog ; /opt/aaa/bbb ; /lb/tools/java"
| eval multivalue_field = split(multivalue_field, " ; ")
| eval find_match = if(match(event_field, multivalue_field), 1, 0)

find_match = 0

0 Karma
Highlighted

Re: Trying to find if at least one value of a multivalue field matches another field

Legend

That's interesting, is it becuase of the /?

 | stats count | fields - count
 | eval aevent_field="ccc"
 | eval amultivalue_field="aaa; bbb; ccc; ddd"
 | eval amultivalue_field=split(amultivalue_field, ";")
 | eval afind_match = if(match(amultivalue_field, aevent_field), 1, 0)
 | eval bevent_field="/opt/aaa/bbb/ccc"
 | eval bmultivalue_field="/tmp/aaa/zzz ; /var/log/syslog ; /opt/aaa/bbb ; /lb/tools/java"
 | eval bmultivalue_field = split(bmultivalue_field, " ; ")
 | eval bfind_match = if(match(bmultivalue_field, bevent_field), 1, 0)

find_match=1

*BTW, do you have multivaluefield & eventfield flipped? match(SUBJECT, "REGEX")

0 Karma
Highlighted

Re: Trying to find if at least one value of a multivalue field matches another field

SplunkTrust
SplunkTrust

Could be because of the /, not sure.
With regards to your second question, I have swapped the arguments in purpose because '/opt/aaa/bbb' superseeds '/opt/aaa/bbb/ccc'

| stats count | fields - count
| eval event_field="/opt/aaa/bbb/ccc"
| eval multivalue_field="/opt/aaa/bbb"
| eval find_match1 = if(match(event_field, multivalue_field), 1, 0)
| eval find_match2 = if(match(multivalue_field,event_field), 1, 0)

If the regex is more specific than the subject, it won't capture it:

| stats count | fields - count
| eval child="AAAAAAAAAAAAAAAAAAAA"
| eval parent="AA"
| eval find_match1 = if(match(child, parent), 1, 0)
| eval find_match2 = if(match(parent,child), 1, 0)
0 Karma