Had a Splunk use-case present itself today on needing to determine if the value of a field was found in another – specifically, it’s about deciding if a lookup table’s category name for a network endpoint is “the same” as the dest_category assigned by a Forescout CounterACT appliance.
We have “customer validated” (and we all know how reliable that kind of data can be… (the customer is always wrong)) names for network endpoints.
These should be “identical” to the dest_category field assigned by CounterACT … but, as we all know, “should” is a funny word.
What I tried (that does not work) was to get like() to work:
| eval similar=if(like(A,'%B%') OR like(B,'%A%'), "yes", "no")
I tried a slew of variations around the theme of trying to get the value of the field to be in the match portion of the like().
What I ended-up doing (that does work) is this:
| eval similar=if((match(A,B) OR match(B,A)), "yes", "no")
That uses the value of the second field listed to be the regular expression clause of the match() function.
Things you should do ahead of time:
- match case between the fields (I did
upper()..lower()would work as well) - remove “unnecessary” characters – in my case, I yoinked all non-word characters with this
replace()eval:| eval A=upper(replace(A,"\W","")) - know that there are limitations to this comparison method
- “BOB” will ‘similar’ match to “BO”, but not “B OB” (hence removing non-word characters before the
match()) - “BOB” is not ‘similar’ to “ROB” – even though, in the vernacular, both might be an acceptible shortening of “ROBERT”
- “BOB” will ‘similar’ match to “BO”, but not “B OB” (hence removing non-word characters before the
- if you need more complex ‘similar’ matching, check out the JellyFisher add-on on Splunkbase
- it supports Soundex, Levenshtein distance, and a variety of other comparison functions
Thanks, also, to @trex and @The_Tick on the Splunk Usergroups Slack #search-help channel for working me towards a solution (even though what they suggested was not the direction I ended up going).