Re: Is there a way to search where 4 letters in Fi...

aikn061 · ‎11-14-2022

Hi Guys,

So if I have two fields with really random set of text, no similarities except the red text. Does have the 'red' fonts in similarity as below.

In this case, is there a way to search to say when first four letters in FieldA exists in FieldB, exclude?

This would be very easy in powershell or python. I am medium splunk user as well, but not sure how I'd do this in splunk.

This would be very helpful.. Your help is appreciated in advance.

aikn061 · ‎11-18-2022

Both methods do work - Thanks RichGalloway and Bowesmana

richgalloway · ‎11-18-2022

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎11-14-2022

See if this helps.

| eval exclString=substr(FieldA, 1, 4)
| where NOT match(FieldB, exclString)

EDIT: I fixed this answer to exclude rather than include matches. Thanks, @bowesmana !

---
If this reply helps you, Karma would be appreciated.

bowesmana · ‎11-14-2022

Or the minimalist one liner 😃 - but turning round the logic to exclude rather than include those matching items

| where !match(FieldB, substr(FieldA, 1, 4))

Is there a way to search where 4 letters in FieldA NotMatch FieldB?