Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

compare fields for like match

rg33
Explorer
‎07-25-2012 08:23 AM

I am looking for methods to compare two fields for a like match.

Specifically, I'd like to match when field1 can be found within field2. Also, I would like the comparison to be support either case sensitive or insensitive options. Fuzzy matching, including degree of similarity or confidence values, would also be helpful.

For example, given two events:

event1  field1="race"  field2="Racecar"
event2  field1="jump"  field2="Rope"
event3  field1="flip"  field2="BackFlip"

Desired result:

  event1  result=hit
  event2  result=miss
  event3  result=hit

Thanks in advance for your suggestions.

-rg

Reply
1 Solution
Solved! Jump to solution
Solution

rg33
Explorer
‎07-27-2012 06:54 AM

One solution:

Case sensitive matching:

search ... | eval results = if(match(field2,field1), "hit", "miss")

Case insensitive matching:

search ... | eval results = if(match(upper(field2),upper(field1)), "hit", "miss")

I hope this helps others. I tried quite a few other ways before discovering this.

View solution in original post

Reply
Solved! Jump to solution
Solution

rg33
Explorer
‎07-27-2012 06:54 AM

One solution:

Case sensitive matching:

search ... | eval results = if(match(field2,field1), "hit", "miss")

Case insensitive matching:

search ... | eval results = if(match(upper(field2),upper(field1)), "hit", "miss")

I hope this helps others. I tried quite a few other ways before discovering this.

Reply
Solved! Jump to solution

mad4wknds
Path Finder
‎12-26-2017 06:00 AM

I downvoted this post because error in 'eval' command: the arguments to the 'if' function are invalid.

0 Karma
Reply
Solved! Jump to solution

rg33
Explorer
‎03-24-2018 10:01 PM

I fixed the error. Sorry for the typo.

0 Karma
Reply
Solved! Jump to solution

xploresplunk
New Member
‎06-18-2019 07:30 AM

How would you get the time for which these two fields matched each other? Further, if it matches several times how would you get the first time they matched (earliest time)?

0 Karma
Reply
Solved! Jump to solution

countermancs
New Member
‎10-26-2017 10:26 AM

I am trying to match a the values of a 1 field with the values of another field .

When i use this eval I get Error in 'eval' command: The arguments to the 'match' function are invalid.

any ideas?

0 Karma
Reply
Solved! Jump to solution

dfqobvbkmnpi
Explorer
‎05-23-2017 01:56 PM

looks like you have an extra ) or not enough ( in the case sensitive solution.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎07-26-2012 06:31 PM

Is this both question and answer? If so, you should edit it so the answer appears in an answer response below. That is more clear and you can get karma for a correct answer to your question and a "self-learner" badge for answering your own question 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...