Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

comparing selected bytes from two values

zuzgon2
Engager
‎06-23-2014 11:59 AM

Hey,
I got a few indexes in splunk and I want to compare two different values
but like the first 10bytes of the first value and the last 10bytes of the second value.
Like if it's
search (index1 or index2) | where value1[0:10]=value2[-10::]
value1=0123456789hiiiiiiiiiiiiiiiii
value2=hiiiiiiiiii0123456789
will return true.

Tags (3)
0 Karma
Reply

Ayn
Legend
‎06-23-2014 12:42 PM

You can use the substr function.

(index=index1 OR index=index2) | where substr(value1,1,10)==substr(value2,-10)

Note that it's VERY inefficient to use a base search without any filtering like this. If possible you should try to find ways to filter how much data comes out of the base search.

http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/CommonEvalFunctions

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-23-2014 12:34 PM

Take a look at this:

| stats count | eval value1="0123456789hiiiiiiiiiiiiiiiii" | eval value2="hiiiiiiiiii0123456789" | eval match = if(substr(value1, 0, 10) == substr(value2, -10, 10), "match", "no match")

Gives me "match".

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...