0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

match()がマッチしすぎる問題

Posted at

小ネタ。

はじめに

eval ConditionalFunctionsの一つであるmatch()

match(SUBJECT, "REGEX")
Description
This function returns TRUE or FALSE based on whether REGEX matches SUBJECT.

This function compares the regex string REGEX to the value of SUBJECT and returns a Boolean value. It returns TRUE if the REGEX can find a match against any substring of SUBJECT.
ということで、SUBJECTが_multi value_と_single value_どちらでも一致してくれるので、とても使える。

match.spl
 | makeresults 
 | eval _raw="AllUsers ModifiedUsers
 Usr1            Usr4
 Usr3            Usr2
 Usr2            Usr1
 Usr4"
 | multikv forceheader=1
 | stats values(*) as *
 | table AllUsers ModifiedUsers
 `comment("this is your result sample. from here, the logic")`
 | stats values(*) as * by AllUsers
 | eval check=if(match(ModifiedUsers,AllUsers),1,0)
 | stats values(eval(if(check=0,AllUsers,NULL))) as AllUsers

このクエリーだと _ModifiedUsers_がmultivalueだけど問題なく一致している。

match()がマッチしすぎる

match_too_much.spl
| makeresults 
| eval _raw="AllUsers,ModifiedUsers
admin,splunk
splunk,tenable.admin
tenable.admin," 
| multikv forceheader=1 
| stats values(*) as * 
| table AllUsers ModifiedUsers
    `comment("this is your result sample. from here, the logic")` 
| stats values(*) as * by AllUsers 
| eval check = if(match(ModifiedUsers,AllUsers),1,0) 
| stats values(eval(if(check=0,AllUsers,NULL))) as AllUsers

admintenable.adminに一致してしまうので、これはうまく動かない。
とはいえどうすればいいのだろう:thinking:

解決策

match_enough.spl
| makeresults 
| eval _raw="AllUsers,ModifiedUsers
admin,splunk
splunk,tenable.admin
tenable.admin," 
| multikv forceheader=1 
| stats values(*) as * 
| table AllUsers ModifiedUsers
    `comment("this is your result sample. from here, the logic")` 
| stats values(*) as * by AllUsers 
| eval check = if(match(ModifiedUsers,"^".AllUsers."$"),1,0) 
| stats values(eval(if(check=0,AllUsers,NULL))) as AllUsers

引数はREGEX(正規表現)なので、正規表現として正しく書いてやる。

まとめ

match()というか正規表現だと思ったより広く、狭く一致する時がある。
.*とか\w+がすごく広く一致したりしなかったり。
regex101で確認してみたりするけど、Splunkは基本的に_REGES FLAGS_がgのみなのは時たまハマります。
やはりバイブルが必要か:sweat:

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?