Splunk Search

how to compare regex with string, which are two different fields in my search query output.

annamareddi
New Member

i have a regex pattern in my .CSV file. Pattern1= A$B$C|K$L$M|X$Y$Z. where "$" is a variable like date and ID
each pattern is tagged to a unique number. Unique number=123 for Pattern1.
i tried to split the pattern1 in my search by pipe(|) using eval split command.
i need first(_raw) for these splitted patterns.
my output is

unique number splitted_pattern (_raw)
123 A$B$C ABC
KLM
XYZ

123 K$L$M ABC
KLM
XYZ

123 X$Y$Z ABC
KLM
XYZ
but i need a output as

unique number splitted_pattern (_raw)
123 A$B$C ABC
123 K$L$M KLM
123 X$Y$Z XYZ

Tags (1)
0 Karma

jkat54
SplunkTrust
SplunkTrust

Add this to your search:

|mvexpand splitted_pattern

It works for me when I generate the data like this:

| makeresults count=1 | eval csv="123,ABC|KLM|XYZ" | rex field=csv "(?<uniqnum>\d+),(?<patterns>.*)" |  eval splitted_pattern=split(patterns,"|") | mvexpand splitted_pattern
0 Karma

inventsekar
SplunkTrust
SplunkTrust

can you write us your current query please.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...