Re: How to compare a particular word with each and...

AyushiSrivas · ‎07-14-2023

I have a list of below host in a csv

uasws12

usaws120

usaws11

usaws13

susaws13

usaws130

usaws14

usaws15

usaws16

usaws17

usaws173

usaws18

tusaws18

so the output should be following, if there is some preceding and succeeding char(including digits and alphabets), then it should be displayed as the output in another column. Please help me with the query.

Expected Output:-

uasws12

usaws13

usaws17

usaws18

AyushiSrivas · ‎07-14-2023

I have a list of below host in a csv

uasws12

usaws120

usaws11

usaws13

susaws13

usaws130

usaws14

usaws15

usaws16

usaws17

usaws173

usaws18

tusaws18

so the output should be following, if there is some preceding and succeeding char(including digits or alphabets) like for example uasws12 has its succeeding char as digit 0 i.e uasws120 so it should be come in output, like wise usaws18 has it preceding char as alphabet t i.e. tusaws18 so in that case also it should be displayed in output list . In both the case like if a string is either having preceding and succeeding value or both then it should be outputted, Please help me with the query. this is very urgent.

Expected Output:-

uasws12

usaws13

usaws17

usaws18

PickleRick · ‎07-15-2023

Also let me add that if "this is very urgent" - that's what you pay either your local friendly Splunk partner or Professional Services for. This is a community-driven forum where people voluntarily use their time to help others. And do that in their own time at their own pace.

yuanliu · ‎07-15-2023

To make it easier to understand (and to calculate by a computer), let me restate the problem:

In an array of n elements, select element i if element i+1 contains element i.

Thus,

| inputlookup hostcsv ``` output host ```
| eval n = mvrange(1, mvcount(host))
| eval output = mvmap(n, if(match(mvindex(host, n), mvindex(host, n-1)), mvindex(host, n-1), null()))

Below is an emulation for you to play around and compare with real data.

| makeresults
| eval host = mvappend("uasws12",
"uasws120",
"usaws11",
"usaws13",
"susaws13",
"usaws130",
"usaws14",
"usaws15",
"usaws16",
"usaws17",
"usaws173",
"usaws18",
"tusaws18")
``` the above emulates 
| inputlookup hostcsv
and outputs host ```

ITWhisperer · ‎07-15-2023

Assuming there was a typo in your first line, try something like this

| makeresults
| fields - _time
| eval _raw="usaws12
usaws120
usaws11
usaws13
susaws13
usaws130
usaws14
usaws15
usaws16
usaws17
usaws173
usaws18
tusaws188"
| multikv noheader=t
| fields _raw
| eventstats values(_raw) as all
| foreach mode=multivalue all
    [| eval match=if(match(<<ITEM>>,".*"._raw.".*") AND <<ITEM>>!=_raw,"true",match)]
| where isnotnull(match)
| fields _raw

AyushiSrivas · ‎07-15-2023

@ITWhisperer

Thanks alot, The solution given by you works for me, but one last point i want to use the data coming directly from index i.e like below: -

|tstats count WHERE index=unix by host | sort host | table host

so, in that case what modifications is needed. Pls tell me know , I tried but not getting any output.

ITWhisperer · ‎07-15-2023

Bear in mind that host is treated as a regex so if your host names have special characters in the regex sense then he results might not be quite as expected.

| tstats count WHERE index=unix by host
| sort host
| table host
| eventstats values(host) as all
| foreach mode=multivalue all
    [| eval match=if(match(<<ITEM>>,".*".host.".*") AND <<ITEM>>!=host,"true",match)]
| where isnotnull(match)
| fields host

AyushiSrivas · ‎07-15-2023

@ITWhisperer

Thanks a lot, it really helped me today, the solution is perfect 😊.

yuanliu · ‎07-14-2023

Enough teasing. Now, please tell us what is the formula? I see no logical connection between the list and the result.

How to compare a particular word with each and every word in the list of host and get the below output .

eval

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio