Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unexpected behavior of searchmatch function

pm771
Communicator
‎03-11-2025 02:54 PM

We use Enterprise Splunk  Version: 9.1.6

I have noticed a strange behavior of searchmatch() function.

 

| makeresults
| eval fieldstring="ONE TWO THREE"
| eval result=if(searchmatch("THREE TWO"), 1, 0)

 

After the run result equals to 1.

Why is it not looking for complete literal  string and performing "THREE" AND "TWO" instead?

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-11-2025 03:18 PM

searchmatch is a somewhat odd command in that it is looking at the :"EVENT" i.e. it must have a _raw.

If you run this

| makeresults
| eval _raw="ONE TWO THREE"
| eval result=if(searchmatch("THREE TWO"), 1, 0)

You will see result=1, but if you run

| makeresults
| eval _raw="ONE TWO THREE"
| eval result=if(searchmatch("THREEX TWO"), 1, 0)

You will see result=0

Also if you run 

| makeresults
| eval fieldstring="ONE TWO THREE"
| eval result=if(searchmatch("XX YY"), 1, 0)

You will also see result=1 - odd - but that's the way it seems to handle a null _raw field. I am not sure why it finds a result when _raw is not present.

Note the example given in the documentation, which further confuses

https://docs.splunk.com/Documentation/Splunk/9.4.1/SearchReference/ConditionalFunctions#searchmatch....

| makeresults 1 
| eval _raw = "x=hi y=bye" 
| eval x="hi" 
| eval y="bye" 
| eval test=if(searchmatch("x=hi y=*"), "yes", "no") 
| table _raw test x y

If you set _raw to be "x=low..." then the match will fail, so in this case, it's comparing the match against the specific field x where it has a value different to the _raw content.

Anyway, your example sets a specific single string to be a fixed value, so if you do this

| makeresults
| eval fieldstring="ONE TWO THREE"
| eval result=if(searchmatch("fieldstring=\"ONE TWO THREE\""), 1, 0)

You will get a correct match, but if you change the match text, it will give you result=0.

Hope I've not managed to confuse you too much!

 

 

Reply

pm771
Communicator
‎03-11-2025 04:34 PM

I've been offered to replace searchmatch() with match().

| makeresults 1
| eval _raw="ONE TWO THREE"
| eval result=if(searchmatch("ONE THREE"), 1, 0)
| eval garbage=if(searchmatch("ONE WHATEVER THREE"), 1, 0)
| eval matching=if(match(_raw, "ONE THREE"), 1, 0)

 

Seems to be more readable than escaped quotation marks.

Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-12-2025 02:29 PM

I find that match() is generally more useful for most problems than searchmatch - as @livehybrid says, searchmatch is effectively giving you the ability to do matching done through the search command syntax, so there is no case sensitivity, wildcards can be used as needed AND and OR can be used, whereas match is a much more specific regex based matching and you can match any regex against any field.

 

Reply

pm771
Communicator
‎03-11-2025 04:12 PM

The original problem was discovered with Splunk alert that had all proper fields.  I created this small script just to demonstrate the issue without a need for real data.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-11-2025 03:10 PM

Hi @pm771 

The searchmatch command is applying the parameter you pass it as if was in the original search, so "TWO THREE" is like "index=test TWO THREE" which is the same as "index=test THREE TWO" in SPL terms. (Like you said, its doing an AND).

If you want to search literally for "TWO THREE" then you need to do this:

| eval match=IF(searchmatch("\"TWO THREE\""),1,0)

which is to add a set of escaped quotes around the text, this would be like running the below, if you follow what I mean?

index=test "TWO THREE"

Here are some comparisons that might help::

| makeresults 
|  eval _raw="ONE TWO THREE FOUR"
| eval match1=IF(searchmatch("TWO THREE"),1,0)
| eval match2=IF(searchmatch("THREE TWO"),1,0)
| eval match3=IF(searchmatch("SIX"),1,0)
| eval match4=IF(searchmatch("\"TWO THREE\""),1,0)
| eval match5=IF(searchmatch("\"THREE TWO\""),1,0)

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...