Splunk Search
Highlighted

eval searchmatch with OR

Contributor

I am trying to do a search match based on a number of different criteria.

The below does not work.

sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/|*/Product/Product*Overview/Global*|*/Product/Product*Overview/EMEA/*|*/Product/Product*Overview/APAC/|*/Product/Product*Overview/Americas/"),1,null()) | stats count(Product) as Product by date_month

The below does return results but I want to combine Product 1-5 into one column and add the results.

sourcetype="iis-2" | extract auto=true | search cs_username |
eval Product1=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/ |
eval Product2=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/Global*"),1,null()) |
eval Product3=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/EMEA/*"),1,null()) |
eval Product4=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/APAC/*"),1,null()) |
eval Product5=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/Americas/*"),1,null()) |
stats count(Product1) as Product1 count(Product2) as Product2 count(Product3) as Product3 count(Product4) as Product4 count(Product5) as Product5 by date_month

I cant use */Product/Product*Overview/* as there are pages other than the ones above I do not want to include.

I am stuck, hope you can help.

Tags (2)
0 Karma
Highlighted

Re: eval searchmatch with OR

Super Champion

I've never been able to get regex or wildcards to work in an if statement. You're best bet is probably creating a rex that will create a field for each. Once you have them as fields, then you can do pretty much whatever you want.

Highlighted

Re: eval searchmatch with OR

Contributor

Thanks for the reply. I have not done this before, how would I go about doing this?

0 Karma
Highlighted

Re: eval searchmatch with OR

Super Champion

Something like this:
sourcetype="iis-2" | extract auto=true | search csusername |rex field=csuristem ".(?/Product/ProductOverview/Global)$"
This probably won't work because I don't have the entire value string, but that is basically it to create a field called Global for that stem.
Can you post the full cs
uri_stem values?

0 Karma
Highlighted

Re: eval searchmatch with OR

SplunkTrust
SplunkTrust

The problem with searchmatch is that is not regex, so separating searches with "|" (or) will not work. You can do it this way:

sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=if(match(cs_uri_stem,"*/Product/Product*Overview/"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/Global*"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/EMEA/*"),1,if(match(cs_uri_stem),"*/Product/Product*Overview/APAC/"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/Americas/"),1,null())))) | stats count(Product) as Product by date_month

Or A Non-nested version:

sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=case(match(cs_uri_stem,"*/Product/Product*Overview/"),1,match(cs_uri_stem,"*/Product/Product*Overview/Global*"),1,match(cs_uri_stem,"*/Product/Product*Overview/EMEA/*"),1,match(cs_uri_stem,"*/Product/Product*Overview/APAC/"),1,match(cs_uri_stem,"*/Product/Product*Overview/Americas/"),1,1=1,null()) | stats count(Product) as Product by date_month

UPDATE
I fixed the syntax on the two searches.

0 Karma
Highlighted

Re: eval searchmatch with OR

SplunkTrust
SplunkTrust

Did either of these work for you?

0 Karma
Highlighted

Re: eval searchmatch with OR

Contributor

Hi, Thanks for the response, I am just testing them now.

The first query comes back with...

Error in 'eval' command: The operator at ')' is invalid.

The Non-nested version come back with...

Error in 'eval' command: The operator at ',null())' is invalid.

0 Karma
Highlighted

Re: eval searchmatch with OR

Super Champion

This is the way you would use OR with rex. If your strings are correct, then this should work with the exception of /Product/Product.*Overview/. I left that out because from the looks of it you are specifying the overview/X strings that you want, and you said there are many that you don't want:

 | rex field="cs_uri_stem" ".*(?<PRODUCT>/Product/Product.*Overview/Global.*|/Product/Product.*Overview/EMEA/.*|/Product/Product.*Overview/APAC/.*|/Product/Product.*Overview/Americas/.*)$" | eval Contact=if(match(cs_uri_stem,"/Contacts/ContactProfile/"),1,null()) 

View solution in original post

Highlighted

Re: eval searchmatch with OR

Contributor

This works great, however I do need the....

/Product/Product.*Overview/

It used to be the case that this page was split by geo location and it is now not the case, so to do a query over the year I would need to include the below page but no pages underneath it.

/Product/Product.*Overview/

0 Karma
Highlighted

Re: eval searchmatch with OR

Contributor

I just added /Product/Product.*Overview/. to the query and it works great.

0 Karma