I would like to take the value of a field and see if it is CONTAINED within another field (not exact match). The text is not necessarily always in the beginning. Some examples of what I am trying to match:
Ex: field1=text field2=text@domain
Ex2: field1=text field2=sometext
I'm attempting to search Windows event 4648 for non-matching usernames. We have users with admin accounts that are very close to their unprivileged account names but with a couple characters added.
You can do something this
your search | eval result=if(like(field2,"%".field1."%"),"Contained","Not Contained")
Like this:
| where match(field2,field1)
Or this:
... | rename _raw AS raw
| map search="|noop|stats count as contained|eval field2=\"$field2$\" | eval contained=if(like(field2, \"%$field1$%\"), \"$raw$\", null())"
I tried to apply this logic as I want to check if the values from con_splunkUL exists within con_UL, but for me it seems its checking for a direct match between both fields rather than checking for a match within the whole data set.
| eval MonitoringStatus = if(like(con_splunkUL,"%".con_UL."%"), "Monitored", "Not Monitored")
Did you figure this out, i'm having the same issues
I have same type of issue there , I want to look into two tables to match fields value if any match found then ignore if no match found then create separate table too display unique values only which comes out of two tables
Here are my tables, Example: If search pick value (353649273) from table A then it should search for match with all values in table B , not look like only one value corresponding to that field.
OrderNumberFailureA OrderNumberFailureB
353649273 353648649
353649184 353648566
353649091 353616829
353649033 353648649
353648797
353648680
353648745
353648730
353638941
353649331
340568517
353638941
353648361
349156251
353649335
353649091
353649240
353649143
353649160
353649092
353649312
353648984
353649091
353649163
353649240
353649092
353649143
353649095
353649008
353648984
353649008
353648794
353648856
353649273
353648796
353648754
353648620
353648594
353648794
353648649
353648685
353648651
353638941
353648610
353649273
353649241
353649163
353616829
353649163
353648754
353649347
353649335
353648748
353648661
353648649
353648754
353648649
353648649
353648984
353648994
353648802
353649263
353648649
353649347
353649240
353649178
353616829
353649092
353648984
353648754
353648768
353648749
353649387
353648680
353648649
353648566
Did anyone get a chance to look into this as well
Its complicated, still didnt get this quite working..
I tried using foreach loop but that didn't work. If we think about logic then it says we have to pick value from table A and search for each value in next table(B) which logically should be possible using foreach look to iterate through each value.
Also if this is not possible then can you query like to get count of unique values by appending column 2 into column 1 then check for count more than 1.
But in this case we have to dedup column 1 & 2 before we append them to avoid any discrepancy. Waiting for your comments....
Even if we append and dedup the results are still different because they are prefixes... the CIDR command can work for only numerical values being an IP address, but for this instance we are using Hex decimals. So at this stage, it is not possible. We tried using the foreach but because we have 30,000 different prefixes... our subsearches were huge and max out..
can we store both search queries results into two lookup tables instead of creating normal table, after that can we compare for unique values.
Just a ask
Yes I did, I used the below.
| eval MonitoringStatus = if(like(upper(con_UL),"%".upper(con_splunkUL)."%"), "Monitored", "Not Monitored")
Also here is another example I used within the same search
| eval Action=if ((MonitoringStatus="Not Monitored")AND(like(Path,"%Hosting%")),"Action Required","No Action Required")
Regarding this though how would you go about it if you have an index with values...
and you want to check it against a .csv which contains prefixes...
I've currently got a question posted on splunkanswers. https://answers.splunk.com/answers/692085/how-to-match-two-columns-based-on-prefix-numbersle.html#an...
Try this:
| eval match=if(match(text,text2),1,0)
| where match=1
As the match command uses a RegEx, you can match one field as RegEx against another field.
From eval docs:
match(SUBJECT, "REGEX")
You can do something this
your search | eval result=if(like(field2,"%".field1."%"),"Contained","Not Contained")
I am using this and it works, but how can I have it ignore the case of the compared contained string. Make it case insensitive?
thanks very much! I was able to get it working with this.