Hi, Fellow Splunkers,
Noob question. I would like to seek for help in my search, this is the case: The client gave csv for keywords, the search should be filtered based on the keyword matched, for example, the keywords are "Apple, Banana, Car" the output data should contain 2 or more of the keyword match. What will be my search? Is there an if match.count > 1
condition in splunk?
Thanks,
Heh. We've encountered this kind of question before. I'm starting to think it's a class assignment somewhere. Here's one version...
The basic form of the test required is like this...
| rex "(?i)(?<matchword>firstword|secondword|thirdword|morewords)" max_match=0
| where mvcount(matchword)>1
...and you can build the rex with code like this if your lookup table is going to be stable...
https://answers.splunk.com/answers/501920/how-to-create-a-custom-field-to-match-a-particular.html
... ah, this may be the whole thing, or at last closely related...
https://answers.splunk.com/answers/555958/search-based-on-word-match.html
Heh. We've encountered this kind of question before. I'm starting to think it's a class assignment somewhere. Here's one version...
The basic form of the test required is like this...
| rex "(?i)(?<matchword>firstword|secondword|thirdword|morewords)" max_match=0
| where mvcount(matchword)>1
...and you can build the rex with code like this if your lookup table is going to be stable...
https://answers.splunk.com/answers/501920/how-to-create-a-custom-field-to-match-a-particular.html
... ah, this may be the whole thing, or at last closely related...
https://answers.splunk.com/answers/555958/search-based-on-word-match.html
Hi I would like to seek for help once again, what about this case, the keyword needs to find is "Apple"
the regex couldn't find the word Apple if it has a comma on its side unless I'll also add the comma in the keyword like Apple, | Banana
:
rex "(?i)(?<keyword_found>Apple| Banana......
Apple,
@dantimola - unless you want to treat "Apple" and "Apple," as two different items, you should leave out the punctuation. The regex will find Apple no matter what is around it... for example, CrabApple or ApplePieComputers would still lead to finding Apple.
Thank you very much!
can you please put an example of csv here ? and sample output of what you require?