Splunk Search

evaluate multiple fields

xyz123
Explorer

Hello,
I have 2 fields I want to filter they are: name, "short name"

I want to pull all the events that contains: name="software" or "short name"=software" 
and  exclude: "Splunk" "Adobe" "Microsoft".. and another 50 names for both fields

I have this for the exclusion:

 

 

| regex name!="(.*)((?i)(splunk|acrobat|microsoft)(.*)"
| regex "short name"!="(.*)((?i)(splunk|acrobat|microsoft)(.*)"

 

 

One question: is there a way to put this in 1 sentence instead of use duplication like above?
for example:

 

 

 | regex (name| "short name")!="(.*)((?i)(splunk|acrobat|microsoft)(.*)"

 

 



Thanks,
xyz123




Labels (3)
0 Karma
1 Solution

manjunathmeti
Champion

hi @xyz123 ,

If fields name and "short name" part of your index then you can filter them in the main search only. This will be much faster.

index=index NOT [| makeresults | eval name="splunk|microsoft" | eval name=split(name, "|") | mvexpand name | strcat "*" name "*" name | format] NOT [| makeresults | eval filter="splunk|microsoft" | eval filter=split(filter, "|") | mvexpand filter | strcat "*" filter "*" filter | eval "short name"=filter | fields - filter | format]

 

For your question, if you want the same query to filter values for 2 fields, you can create a macro and use it in your search.

1. Create a macro with an argument.

macros.conf

[filter_software(1)]
args = fieldname
definition = | makeresults | eval filter="splunk|microsoft|dell|apple" | eval filter=split(filter, "|") | mvexpand filter | strcat "*" filter "*" filter| eval $fieldname$=filter| fields - filter| format

2.  Use that macro in your search.

index=indexname sorcetype=sourcetypename NOT [`filter_software("name")`] NOT [`filter_software("short name")`]

 

If this reply helps you, an upvote/like would be appreciated. 

View solution in original post

0 Karma

manjunathmeti
Champion

hi @xyz123 ,

If fields name and "short name" part of your index then you can filter them in the main search only. This will be much faster.

index=index NOT [| makeresults | eval name="splunk|microsoft" | eval name=split(name, "|") | mvexpand name | strcat "*" name "*" name | format] NOT [| makeresults | eval filter="splunk|microsoft" | eval filter=split(filter, "|") | mvexpand filter | strcat "*" filter "*" filter | eval "short name"=filter | fields - filter | format]

 

For your question, if you want the same query to filter values for 2 fields, you can create a macro and use it in your search.

1. Create a macro with an argument.

macros.conf

[filter_software(1)]
args = fieldname
definition = | makeresults | eval filter="splunk|microsoft|dell|apple" | eval filter=split(filter, "|") | mvexpand filter | strcat "*" filter "*" filter| eval $fieldname$=filter| fields - filter| format

2.  Use that macro in your search.

index=indexname sorcetype=sourcetypename NOT [`filter_software("name")`] NOT [`filter_software("short name")`]

 

If this reply helps you, an upvote/like would be appreciated. 

0 Karma

xyz123
Explorer

I like this solution show my code clean, and yes I'm filtering my fields, "name" and 'short name" at the "index" line, thanks

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can use the 'where' command instead of regex and do

| where !(match(name, "(.*)((?i)(splunk|acrobat|microsoft)(.*)") OR match('short name', "(.*)((?i)(splunk|acrobat|microsoft)(.*)"))

Note that in a where clause, the field names have the same rules as in eval statements, i.e. for fields containing non standard characters, you need to wrap the field in single quotes

 

 

0 Karma

xyz123
Explorer

I tried, this but since they are around more than 50 "name" it's going to take a lot of code that's why I went using RegEx, thanks so much for your reply.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...