All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

| eval field_c=if(field_a == field_b, null(), field_a)
.
Good morning Marnall! Thank you very much for your support....with your help I managed to solve this problem!!!
could you please help with SPL syntax to match wild card entry.
@Alan_Chan I have upgraded Splunk from version 9.3.1 to 9.4.0 on a Linux platform and observed this warning. However, Splunk is functioning properly, and no issues have been noticed post-upgrade. I ... See more...
@Alan_Chan I have upgraded Splunk from version 9.3.1 to 9.4.0 on a Linux platform and observed this warning. However, Splunk is functioning properly, and no issues have been noticed post-upgrade. I believe the warning can be safely removed.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
these are seperated events not a multivalue fields
The wildcard need to be defined in the lookup e.g. abc* will match abc and abc_123
Again, are these separate events or multi-value fields in the same event?
Not without combining them into a single event - this is usually done with some sort of stats command e.g. stats, eventstats, streamstats, etc Depending on what you are trying to do and how the data ... See more...
Not without combining them into a single event - this is usually done with some sort of stats command e.g. stats, eventstats, streamstats, etc Depending on what you are trying to do and how the data is represented in your events, there could be a number of ways to do this.
Hi @RSS_STT , in the same option of the same section try with WILDCARD instead CIDR. Ciao. Giuseppe
what if i want to match host_name= abc & host_name=abc_123 which is in lookup file.
Hi @RSS_STT , in [Settings > Lookups > Lookup Definitions ] open "Advanced Options" and configure CIDR as match_type, as described at https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/Add... See more...
Hi @RSS_STT , in [Settings > Lookups > Lookup Definitions ] open "Advanced Options" and configure CIDR as match_type, as described at https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/Addfieldmatchingrulestoyourlookupconfiguration Ciao. Giuseppe
Can i do the wildcard matching in lookup? |makeresults |eval ip=192.168.101.10 |lookup ip.csv ip output host In my lookup i have two entry ip=192.168.101.10 & ip=192.168.101.10/24. How can i add... See more...
Can i do the wildcard matching in lookup? |makeresults |eval ip=192.168.101.10 |lookup ip.csv ip output host In my lookup i have two entry ip=192.168.101.10 & ip=192.168.101.10/24. How can i add wildcard (*) for match and i should get two entry.  
That's it! I hadn't even considered that. Thank you so much!   But given Where only works one event at a time, does that mean it can't be used to compare fields in two different sourcetypes?
NO they are not quoted string seperated by comma..i think i dint put the example in the right way..let me try the below example field_a          field_b rohan               rohan rahul            ... See more...
NO they are not quoted string seperated by comma..i think i dint put the example in the right way..let me try the below example field_a          field_b rohan               rohan rahul                rahul raj now i need to have the difference of the above to field field_c raj
The where command (as with most commands) works on one event at a time - since your events are coming from different sourcetypes, they will be different events so the where command doesn't find any m... See more...
The where command (as with most commands) works on one event at a time - since your events are coming from different sourcetypes, they will be different events so the where command doesn't find any matches.
Strange, that's exactly what I tried before posting, but it still resulted in 0 hits whereas a wildcard got me the results I was looking for. For the sake of experimentation, I changed the eval to:  ... See more...
Strange, that's exactly what I tried before posting, but it still resulted in 0 hits whereas a wildcard got me the results I was looking for. For the sake of experimentation, I changed the eval to:  | eval src_mac_{index}=src_mac   Making this change, there would be no illegal chacters in the field name, only a-z plus the underscore. Despite that, the search still didn't function properly. Furthermore, single quotes causes the search not to match anything regardless of whether I use a wildcard or not. It has to be double quotes.
Tokens are usually passed as query parameters on URLs. Without knowing how your javascript is creating or using the tokens, it is a bit difficult to be more definitive.
Try not introducing an "illegal" character in the first place! | eval src_mac_{sourcetype}=src_mac Also, use single quotes around the field name, particularly on the right-hand side of the eval | ... See more...
Try not introducing an "illegal" character in the first place! | eval src_mac_{sourcetype}=src_mac Also, use single quotes around the field name, particularly on the right-hand side of the eval | WHERE upper('src_mac-bro_known_devices') = upper('src_mac-ise:syslog')
Please clarify the contents of these fields. Are they quoted strings separated by commas? Are they multi-value fields which each value being an unquoted string? Are they difference events with differ... See more...
Please clarify the contents of these fields. Are they quoted strings separated by commas? Are they multi-value fields which each value being an unquoted string? Are they difference events with different values for the fields? The best way to illustrate your data is to paste the raw event data into a code block (using the </> button) so that formatting from the event is preserved.