×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
onur
Explorer
Member since: ‎04-12-2021
‎06-21-2022
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-12-2021
View All

Re: How Can I Create a Search To Compare 2 Fields ...

by SplunkTrust in Splunk Search
‎11-07-2021 01:21 AM
‎11-07-2021 01:21 AM
Technically, the problem you first described is solved - you have now described a different problem. You are trying to "join" events where the joining field values only partially match. Given your example, can you extract just the string you want to match on? For example, if you can assume that the id is made up of numbers, uppercase letters, minus and underscore, and sometimes preceded by an underscore, you could try something like this | makeresults | eval field1=split("536456786786_454AS6DASD-98SAD-787RET-98SAD-GASDA54656|remote_splunk_.com_536456786786_454AS6DASD-98SAD-787RET-98SAD-GASDA54656","|") | mvexpand field1 | streamstats count as source | eval name="datafrom".source | eval {name}=random()%10 | fields - name | rex field=field1 max_match=0 "_?(?<id>[0-9A-Z_-]+)" | eval id=mvindex(id,-1) | stats values(*) as * by id ... View more

Re: How to See New Index Log

by SplunkTrust in Splunk Search
‎05-26-2021 05:46 AM
‎05-26-2021 05:46 AM
Splunk does not record who edited the configuration files.  It sounds like you need version control for *.conf files. ... View more

Re: SPL for Wrong Written Searches

by SplunkTrust in Splunk Search
‎04-12-2021 05:14 PM
‎04-12-2021 05:14 PM
Use the REST API to get a list of saved searches. | rest splunk_server=local /services/saved/searches Then use appropriate SPL commands, like rex and regex, to search the "search" field for wrongness.  The specifics will depend on your definition of "wrong written". ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-21-2022 04:42 AM