comparing selected bytes from two values

zuzgon2 · ‎06-23-2014

Hey,
I got a few indexes in splunk and I want to compare two different values
but like the first 10bytes of the first value and the last 10bytes of the second value.
Like if it's
search (index1 or index2) | where value1[0:10]=value2[-10::]
value1=0123456789hiiiiiiiiiiiiiiiii
value2=hiiiiiiiiii0123456789
will return true.

Ayn · ‎06-23-2014

You can use the substr function.

(index=index1 OR index=index2) | where substr(value1,1,10)==substr(value2,-10)

Note that it's VERY inefficient to use a base search without any filtering like this. If possible you should try to find ways to filter how much data comes out of the base search.

http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/CommonEvalFunctions

martin_mueller · ‎06-23-2014

Take a look at this:

| stats count | eval value1="0123456789hiiiiiiiiiiiiiiiii" | eval value2="hiiiiiiiiii0123456789" | eval match = if(substr(value1, 0, 10) == substr(value2, -10, 10), "match", "no match")

Gives me "match".

comparing selected bytes from two values

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

comparing selected bytes from two values

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?