Splunk Search

eval searchmatch with OR

DanielFordWA
Contributor

I am trying to do a search match based on a number of different criteria.

The below does not work.

sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/|*/Product/Product*Overview/Global*|*/Product/Product*Overview/EMEA/*|*/Product/Product*Overview/APAC/|*/Product/Product*Overview/Americas/"),1,null()) | stats count(Product) as Product by date_month

The below does return results but I want to combine Product 1-5 into one column and add the results.

sourcetype="iis-2" | extract auto=true | search cs_username |
eval Product1=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/ |
eval Product2=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/Global*"),1,null()) |
eval Product3=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/EMEA/*"),1,null()) |
eval Product4=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/APAC/*"),1,null()) |
eval Product5=if(searchmatch("cs_uri_stem=*/Product/Product*Overview/Americas/*"),1,null()) |
stats count(Product1) as Product1 count(Product2) as Product2 count(Product3) as Product3 count(Product4) as Product4 count(Product5) as Product5 by date_month

I cant use */Product/Product*Overview/* as there are pages other than the ones above I do not want to include.

I am stuck, hope you can help.

Tags (2)
0 Karma
1 Solution

lukejadamec
Super Champion

This is the way you would use OR with rex. If your strings are correct, then this should work with the exception of /Product/Product.*Overview/. I left that out because from the looks of it you are specifying the overview/X strings that you want, and you said there are many that you don't want:

 | rex field="cs_uri_stem" ".*(?<PRODUCT>/Product/Product.*Overview/Global.*|/Product/Product.*Overview/EMEA/.*|/Product/Product.*Overview/APAC/.*|/Product/Product.*Overview/Americas/.*)$" | eval Contact=if(match(cs_uri_stem,"/Contacts/ContactProfile/"),1,null()) 

View solution in original post

lukejadamec
Super Champion

This is the way you would use OR with rex. If your strings are correct, then this should work with the exception of /Product/Product.*Overview/. I left that out because from the looks of it you are specifying the overview/X strings that you want, and you said there are many that you don't want:

 | rex field="cs_uri_stem" ".*(?<PRODUCT>/Product/Product.*Overview/Global.*|/Product/Product.*Overview/EMEA/.*|/Product/Product.*Overview/APAC/.*|/Product/Product.*Overview/Americas/.*)$" | eval Contact=if(match(cs_uri_stem,"/Contacts/ContactProfile/"),1,null()) 

lukejadamec
Super Champion

Yes, if you also want to create the field Contact when the stem = that value only, then you would include that eval statement at the end. I tested it with different stems and it worked. I updated the query.

0 Karma

DanielFordWA
Contributor

Is it possible to combine this in a query where I am also using eval on the cs_uri_stem,
eval Contact=if(match(cs_uri_stem,"/Contacts/*Contact*Profile/"),1,null()) |

0 Karma

DanielFordWA
Contributor

I just added /Product/Product.*Overview/. to the query and it works great.

0 Karma

DanielFordWA
Contributor

This works great, however I do need the....

/Product/Product.*Overview/

It used to be the case that this page was split by geo location and it is now not the case, so to do a query over the year I would need to include the below page but no pages underneath it.

/Product/Product.*Overview/

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

The problem with searchmatch is that is not regex, so separating searches with "|" (or) will not work. You can do it this way:

sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=if(match(cs_uri_stem,"*/Product/Product*Overview/"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/Global*"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/EMEA/*"),1,if(match(cs_uri_stem),"*/Product/Product*Overview/APAC/"),1,if(match(cs_uri_stem,"*/Product/Product*Overview/Americas/"),1,null())))) | stats count(Product) as Product by date_month

Or A Non-nested version:

sourcetype="iis-2" | extract auto=true | search cs_username | eval Product=case(match(cs_uri_stem,"*/Product/Product*Overview/"),1,match(cs_uri_stem,"*/Product/Product*Overview/Global*"),1,match(cs_uri_stem,"*/Product/Product*Overview/EMEA/*"),1,match(cs_uri_stem,"*/Product/Product*Overview/APAC/"),1,match(cs_uri_stem,"*/Product/Product*Overview/Americas/"),1,1=1,null()) | stats count(Product) as Product by date_month

UPDATE
I fixed the syntax on the two searches.

0 Karma

DanielFordWA
Contributor

Hi, Thanks for the response, I am just testing them now.

The first query comes back with...

Error in 'eval' command: The operator at ')' is invalid.

The Non-nested version come back with...

Error in 'eval' command: The operator at ',null())' is invalid.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Did either of these work for you?

0 Karma

lukejadamec
Super Champion

Something like this:
sourcetype="iis-2" | extract auto=true | search cs_username |rex field=cs_uri_stem ".*(?/Product/Product*Overview/Global)$"
This probably won't work because I don't have the entire value string, but that is basically it to create a field called Global for that stem.
Can you post the full cs_uri_stem values?

0 Karma

DanielFordWA
Contributor

Thanks for the reply. I have not done this before, how would I go about doing this?

0 Karma

lukejadamec
Super Champion

I've never been able to get regex or wildcards to work in an if statement. You're best bet is probably creating a rex that will create a field for each. Once you have them as fields, then you can do pretty much whatever you want.

Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...