Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

matching hostnames issue

secure
Path Finder
‎03-13-2025 08:42 AM

Hi

i have a list of servers coming from two different sources list A has server without domain names and list B has servers with and without domain names
i was trying to compare the two list and get matching and not matching value 

problem is bot the list have same server but because of domain name it says not matching 
i understand if function is probably not the correct choice and when i use case with like it give me error any suggestions on this  

|makeresults
| eval listA="xyz1apac" ,listB="xyz1apac.ent.bhpbilliton.net"
| append [| makeresults | eval listA="xyz2" ,listB="xyz2.ent.bhpbilliton.net"]
| append [| makeresults | eval listA="xyz3emea" ,listB="xyz3emea"]
| append [| makeresults | eval listA="xyz4abc" ,listB="xyz4abc.ent.bhpbilliton.net"]
| fields - _time
| eval matching=if(listA != listB, "NOT OK", "OK")

secure_0-1741880548487.png

 

thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Champion
‎03-13-2025 08:45 AM

Hi @secure 

You could use rex to get the first part of the hostname like this:

|makeresults
| eval listA="xyz1apac" ,listB="xyz1apac.ent.bhpbilliton.net"
| append [| makeresults | eval listA="xyz2" ,listB="xyz2.ent.bhpbilliton.net"]
| append [| makeresults | eval listA="xyz3emea" ,listB="xyz3emea"]
| append [| makeresults | eval listA="xyz4abc" ,listB="xyz4abc.ent.bhpbilliton.net"]
| fields - _time
| rex field=listA "(?<hostA>[^\.]+)"
| rex field=listB "(?<hostB>[^\.]+)"
| eval matching=if(hostA != hostB, "NOT OK", "OK")

livehybrid_0-1741880752586.png

 

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎03-14-2025 12:41 PM

Like @livehybrid and yourself said, there are a milliard of method to perform match.  Here is another given that you know that listA does not contain domain name.

| eval matching=if(listA == mvindex(split(listB, "."), 0), "OK", "NOT OK")

split-mvindex is slightly less expensive than regex/match.  But the difference is really small.  The real question is like @livehybrid asked: Are there some constraints in your use case that would prefer one solution over another?

Reply
Solved! Jump to solution

livehybrid
Champion
‎03-14-2025 02:22 PM

I just came on to suggest an mvindex/split approach as an alternative @yuanliu, but as you say, rex is probably most effective here!

Different ways for doing things, ultimately depends on the situation 🙂 

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
Champion
‎03-13-2025 08:45 AM

Hi @secure 

You could use rex to get the first part of the hostname like this:

|makeresults
| eval listA="xyz1apac" ,listB="xyz1apac.ent.bhpbilliton.net"
| append [| makeresults | eval listA="xyz2" ,listB="xyz2.ent.bhpbilliton.net"]
| append [| makeresults | eval listA="xyz3emea" ,listB="xyz3emea"]
| append [| makeresults | eval listA="xyz4abc" ,listB="xyz4abc.ent.bhpbilliton.net"]
| fields - _time
| rex field=listA "(?<hostA>[^\.]+)"
| rex field=listB "(?<hostB>[^\.]+)"
| eval matching=if(hostA != hostB, "NOT OK", "OK")

livehybrid_0-1741880752586.png

 

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Solved! Jump to solution

secure
Path Finder
‎03-13-2025 08:57 AM

@livehybrid  thanks for the regex  is it possible through case with like or match function just trying to explore  all the possibilities 

0 Karma
Reply
Solved! Jump to solution

livehybrid
Champion
‎03-13-2025 11:27 AM

Possibly, what is the overall goal? Just so I can make sure it’s suitable. 
thanks 

0 Karma
Reply
Solved! Jump to solution

secure
Path Finder
‎03-14-2025 12:56 PM

@livehybrid my overall goal was to learn other methods as well, rex was something i was able to figure out earlier 

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top