Spread our blog

Usage of Splunk Eval Function: MATCH

match” is a Splunk eval function. we can consider one matching “REGEX” to return true or false or any string.

  • This function takes matching “REGEX” and returns true or false or any given string.
  • Functions of “match” are very similar to case or if functions but, “match” function deals with regular expressions.
  • Try to mention “^” and “$” signs with the regular expression to perform a compact and full match in case of “match” function.

NOTE: “^” and “$” characters are used in regular expressions to identify the start and end of the string.

Syntax:

MATCH(X,”REGEX”)

X: Name of the field where you want to match the given regex with.

Example:

index="finance" source="Financial*" 
| table SegmentNo,Segment,Country,Product,UnitsSold,SalePrice,Sales,Profit 
| eval Match=if(match(SegmentNo,"^\d{1,3}\w\d{2}\w\d{1,4}$"),"Yes","No")

Result:

Explanation:

Here we have some financial data in our “finance” index. In the beginning, we used the “table” command to give a tabular showcase for all required fields. Then we have a “match” function with “if” to produce results in “match” filed. Because the “match” function can match the events but can’t populate any new field values. That’s why we have used the “if” function, which means whenever the match condition will satisfy it will return “Yes” otherwise “NO”. Now coming back to the “match” function, here we have mentioned a field called “SegmentNo”. I.e. we want to match our given regular expression with the “SegmentNo” field. Then we used our required regular expression to match.

You can also know about :  How to find a field name if the field value is known?

Example:

In this example, we will show another way to use the “match” function other than this.

We can use the “match” function with the “where” command also.

index="finance" source="Financial*" 
| table SegmentNo,Segment,Country,Product,UnitsSold,SalePrice,Sales,Profit 
| where match(SegmentNo,"^\d{1,3}\w\d{2}\w\d{1,4}$")

Result:

Explanation:

We have used the same regular expression to match, but this time it’s not returning any new field. Instead of that it’s just fetching only matched events.

This is all about ” Usage of Splunk Eval Function: MATCH“. see you all in the next one.

Happy Splunking!!

What’s your Reaction?
+1
+1
+1
+1
+1
2
+1
+1

Spread our blog

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here