finding field b partial matches in field a (inputl...

tchankapi · ‎06-26-2021

I am trying to find matches for field b, when there is a partial match in field a. I have field a which is an imported csv with hostname/IP's, field b is from an index search. Is there a way to find which in field b match one of the field a values whether it is server name or IP? I've tried some combinations of eval case statements(match/like), attempted regex but from my understanding you have to provide the value rather than a field type. Would I need to run some sort of loop searching field a for all values in field b - seems like this would be pretty resource heavy and inefficient? End result is I would do a count on matches, if field a is a 0 or 1, then I would make my chart for that value. Any direction or advice would be greatly appreciated, even just a point to a specific part of the documentation (currently on 7.3)!

Let me know if more data is needed and I'll be glad to sanitize and provide more output, was trying to keep the post short.

ex:

field a
server1,10.0.0.7,10.0.0.8

server2,10.0.0.9,10.0.0.10

field b

server1

10.0.0.9

ITWhisperer · ‎06-26-2021

Would something along these lines work?

search
| join fielda
     [| inputlookup csv
      | eval fielda=split(fieldb,",")
      | mvexpand fielda]

finding field b partial matches in field a (inputlookup csv)

count

eval

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation