Solved: evaluate multiple fields

xyz123 · ‎02-02-2021

Hello,
I have 2 fields I want to filter they are: name, "short name"

I want to pull all the events that contains: name="software" or "short name"=software"
and exclude: "Splunk" "Adobe" "Microsoft".. and another 50 names for both fields

I have this for the exclusion:

| regex name!="(.*)((?i)(splunk|acrobat|microsoft)(.*)"
| regex "short name"!="(.*)((?i)(splunk|acrobat|microsoft)(.*)"

One question: is there a way to put this in 1 sentence instead of use duplication like above?
for example:

 | regex (name| "short name")!="(.*)((?i)(splunk|acrobat|microsoft)(.*)"

Thanks,
xyz123

manjunathmeti · ‎02-02-2021

hi @xyz123 ,

If fields name and "short name" part of your index then you can filter them in the main search only. This will be much faster.

index=index NOT [| makeresults | eval name="splunk|microsoft" | eval name=split(name, "|") | mvexpand name | strcat "*" name "*" name | format] NOT [| makeresults | eval filter="splunk|microsoft" | eval filter=split(filter, "|") | mvexpand filter | strcat "*" filter "*" filter | eval "short name"=filter | fields - filter | format]

For your question, if you want the same query to filter values for 2 fields, you can create a macro and use it in your search.

1. Create a macro with an argument.

macros.conf

[filter_software(1)]
args = fieldname
definition = | makeresults | eval filter="splunk|microsoft|dell|apple" | eval filter=split(filter, "|") | mvexpand filter | strcat "*" filter "*" filter| eval $fieldname$=filter| fields - filter| format

2. Use that macro in your search.

index=indexname sorcetype=sourcetypename NOT [`filter_software("name")`] NOT [`filter_software("short name")`]

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

manjunathmeti · ‎02-02-2021

hi @xyz123 ,

If fields name and "short name" part of your index then you can filter them in the main search only. This will be much faster.

index=index NOT [| makeresults | eval name="splunk|microsoft" | eval name=split(name, "|") | mvexpand name | strcat "*" name "*" name | format] NOT [| makeresults | eval filter="splunk|microsoft" | eval filter=split(filter, "|") | mvexpand filter | strcat "*" filter "*" filter | eval "short name"=filter | fields - filter | format]

For your question, if you want the same query to filter values for 2 fields, you can create a macro and use it in your search.

1. Create a macro with an argument.

macros.conf

[filter_software(1)]
args = fieldname
definition = | makeresults | eval filter="splunk|microsoft|dell|apple" | eval filter=split(filter, "|") | mvexpand filter | strcat "*" filter "*" filter| eval $fieldname$=filter| fields - filter| format

2. Use that macro in your search.

index=indexname sorcetype=sourcetypename NOT [`filter_software("name")`] NOT [`filter_software("short name")`]

If this reply helps you, an upvote/like would be appreciated.

xyz123 · ‎02-05-2021

I like this solution show my code clean, and yes I'm filtering my fields, "name" and 'short name" at the "index" line, thanks

bowesmana · ‎02-02-2021

You can use the 'where' command instead of regex and do

| where !(match(name, "(.*)((?i)(splunk|acrobat|microsoft)(.*)") OR match('short name', "(.*)((?i)(splunk|acrobat|microsoft)(.*)"))

Note that in a where clause, the field names have the same rules as in eval statements, i.e. for fields containing non standard characters, you need to wrap the field in single quotes

xyz123 · ‎02-05-2021

I tried, this but since they are around more than 50 "name" it's going to take a lot of code that's why I went using RegEx, thanks so much for your reply.

evaluate multiple fields

eval

fields

regex

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting