Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to match 2 fields in 2 different sources by wildcard

fotc1969
New Member
‎03-21-2018 04:41 PM

I have 2 sources with different pieces information and i'm trying to return a coalesced search based on a partial match between them

source_1
lookupfield = "dept_LV"
location = "Las Vegas"
costcenter = "33422345"

source_2
actual_field = "dept_LV_subdivision_2"
building_number="22"
caption = "Accounting"
actual_field = "dept_LV_subdivision_3"
building_number="28"
caption = "Engineering"

source = "source_1" OR source = "source_2" | eval matchID=coalesce(lookupfield, actual_field) | search matchID = "dept_LV" | table costcenter, location, building_number, caption

from this i would expect to get the aggregated info from both sources for all actual_fields that match dept_LV. the problem is i dont think coalesced searches allow partial matches. how would i achieve this otherwise?

Tags (2)
0 Karma
Reply

elliotproebstel
Champion
‎03-21-2018 05:59 PM

I think you're almost there. Have you tried this:

source = "source_1" OR source = "source_2" 
| eval matchID=coalesce(lookupfield, actual_field) 
| search matchID = "dept_LV*" 
| table costcenter, location, building_number, caption

To make it even more efficient, I'd start out by including that wildcarded term in the original search:

source = "source_1" OR source = "source_2" dept_LV*
| eval matchID=coalesce(lookupfield, actual_field) 
| search matchID = "dept_LV*" 
| table costcenter, location, building_number, caption
0 Karma
Reply

fotc1969
New Member
‎03-22-2018 08:05 AM

This is almost perfectly exactly what i'm looking for, the only thing, and this is probably my fault for not elaborating, but "dept_LV*" wont always be "dept_LV" it could be "site_LA" "org_NY". i need the "search" function to use the variable rather than a manual string... for instance:

source = "source_1" OR source = "source_2"
| eval matchID=coalesce(lookupfield, actual_field)
| search matchID = lookupfield
| table costcenter, location, building_number, caption

I even tried:

source = "source_1" OR source = "source_2"
| eval matchID=coalesce(lookupfield, actual_field)
| where like (matchID, lookupfield)
| table costcenter, location, building_number, caption

but it's just not triggering on that search. Another way of asking, is is there a way for a search clause to match 2 fields with a wildcard?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-21-2018 05:56 PM

The search is returning exactly what you told it to search for - "dept_LV", not "dept_LV*". Try this

source = "source_1" OR source = "source_2" | eval matchID=coalesce(lookupfield, actual_field) | where match(matchID, "dept_LV.*" | table costcenter, location, building_number, caption
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...