Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do something like if two of more of ( s1,s2,s3 ) in URL, and symbol count > 2 in url?

bluewizard
Explorer
‎05-18-2023 07:33 PM

.... url = "abc-jjjj-j-xyz.exmaple.come"
|eval s1 = abc
|eval s2 = efg
|eval s3 = xyz
|eval symbol ="-"

how do i do something like if two of more of ( s1,s2,s3 ) in URL, and symbol count > 2 in url?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎05-18-2023 08:16 PM

Hi @bluewizard 

Something like this would work.  

|makeresults
| eval url="abc-jjjj-j-xyz.exmaple.come"
      ,s1=if(match(url, "abc"), 1, 0)  ``` regex ```
      ,s2=if(match(url, "efg"), 1, 0)
      ,s3=if(like(url, "%xyz%"), 1, 0) ``` more SQL like ```
      ,s4=if(searchmatch("url=*jjjj*"), 1, 0)  ``` probably the least efficient method depending on the base seach ```
| addtotals label=s* fieldname="symbol_count"
| where symbol_count>2

 As the original question has been answered you should make this answer as solution provided.

Karma would also be appreciated too.

Hope that helps

View solution in original post

Reply
Solved! Jump to solution

yeahnah
Motivator
‎05-18-2023 07:45 PM

Hi @bluewizard 

Here is a run anywhere example showing a few different methods you could use...

 

|makeresults
| eval url="abc-jjjj-j-xyz.exmaple.come"
      ,s1=if(match(url, "abc"), "true", "false")  ``` regex ```
      ,s2=if(match(url, "efg"), "true", "false")
      ,s3=if(like(url, "%xyz%"), "true", "false") ``` more SQL like ```
      ,s4=if(searchmatch("url=*jjjj*"), "true", "false")  ``` probably the least efficient method depending on the base seach ```

 

Here's the latest Splunk docs on eval functions, too.

https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/CommonEvalFunctions#Alphabetical_...

Hope that helps

0 Karma
Reply
Solved! Jump to solution

bluewizard
Explorer
‎05-18-2023 08:04 PM

i have tried the sql like method

how do i do something like if two or more of ( s1,s2,s3 ) in URL, and count of symbol > 2 in url?

 
 
Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎05-18-2023 08:16 PM

Hi @bluewizard 

Something like this would work.  

|makeresults
| eval url="abc-jjjj-j-xyz.exmaple.come"
      ,s1=if(match(url, "abc"), 1, 0)  ``` regex ```
      ,s2=if(match(url, "efg"), 1, 0)
      ,s3=if(like(url, "%xyz%"), 1, 0) ``` more SQL like ```
      ,s4=if(searchmatch("url=*jjjj*"), 1, 0)  ``` probably the least efficient method depending on the base seach ```
| addtotals label=s* fieldname="symbol_count"
| where symbol_count>2

 As the original question has been answered you should make this answer as solution provided.

Karma would also be appreciated too.

Hope that helps

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...