Thanks, also, to and on the Splunk Usergroups Slack #search-help channel for working me towards a solution (even though what they suggested was not the direction I ended up going). it supports Soundex, Levenshtein distance, and a variety of other comparison functions.if you need more complex ‘similar’ matching, check out the JellyFisher add-on on Splunkbase.“BOB” is not ‘similar’ to “ROB” – even though, in the vernacular, both might be an acceptible shortening of “ROBERT” 1 You could find the unique values using for example a pattern like (OU ( a-z+)\b) ( \s\S\1) /r/41bspj/1 if lookaheads are supported.“BOB” will ‘similar’ match to “BO”, but not “B OB” (hence removing non-word characters before the match()).know that there are limitations to this comparison method.remove “unnecessary” characters – in my case, I yoinked all non-word characters with this replace() eval: | eval A=upper(replace(A,"\W","")).match case between the fields (I did upper().action which is giving good result but I need to run the SPL query every time. That uses the value of the second field listed to be the regular expression clause of the match() function. Actually, I have created fields and I want to merge two fields into a single field. You can nest several mvzip functions together to create a single. | eval similar=if((match(A,B) OR match(B,A)), "yes", "no") Splunk Search Multiple Fields The fields command is a Splunk search command that allows. What I ended-up doing (that does work) is this: I tried a slew of variations around the theme of trying to get the value of the field to be in the match portion of the like(). | eval similar=if(like(A,'%B%') OR like(B,'%A%'), "yes", "no") Splunk is a software that enables one to monitor, search, visualize and also to analyze machine generated data (best example are application logs, data from websites, database logs for a start) to big-data using a web styled interface. This command is useful for giving fields more meaningful names, such as 'Product ID' instead of 'pid'. What I tried (that does not work) was to get like() to work: Description Use the rename command to rename one or more fields. These should be “identical” to the dest_category field assigned by CounterACT … but, as we all know, “should” is a funny word. We have “customer validated” (and we all know how reliable that kind of data can be… ( the customer is always wrong)) names for network endpoints. Had a Splunk use-case present itself today on needing to determine if the value of a field was found in another – specifically, it’s about deciding if a lookup table’s category name for a network endpoint is “the same” as the dest_category assigned by a Forescout CounterACT appliance.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |