icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Fuzzy Search for Splunk
SHA256 checksum (fuzzy-search-for-splunk_206.tgz) 94b50a053a3a71c922b57fa78f945f28c461874c2c95ff6248b0258d410b4f07 SHA256 checksum (fuzzy-search-for-splunk_205.tgz) f964c755d05d9220828aff2f9eb1dd530cb5aba62c5938a69d0edef7ac011205 SHA256 checksum (fuzzy-search-for-splunk_204.tgz) a1c52fc6d2ddc2209cd2c0fec5d7198c4232726368c4e4ea4e27910bdac50eef SHA256 checksum (fuzzy-search-for-splunk_203.tgz) 1eef6af9e6998c9a3891c1dbde70a9a06782b2572f2add0a18ea038f9bd14bd5 SHA256 checksum (fuzzy-search-for-splunk_202.tgz) b76c0fca75a81596b20dd10195761ba83dbf24c9e022262ca901e8738eaf24de SHA256 checksum (fuzzy-search-for-splunk_201.tgz) 763cd89beb5892338e51e7b9b7fa8b5424470cbec70387f10dc4df91b3353b75 SHA256 checksum (fuzzy-search-for-splunk_20.tgz) 1a7d440b02fe39ff3e392c01c8cdaf611384ed09cb601afd653616ae1a609dc8 SHA256 checksum (fuzzy-search-for-splunk_122.tgz) 988c5480385758479a6b171e1480f76355b418de85851b1d1af3c20212a3f0cb SHA256 checksum (fuzzy-search-for-splunk_121.tgz) d69b4eeb4e001480399e94a446d29d1e954b3f1f5d4d1aa95ff28c06dc4a5116 SHA256 checksum (fuzzy-search-for-splunk_12.tgz) c22b344ddc360eeb50c4679c1eca9917a56e36252bd2300a7e67df97ba13722e SHA256 checksum (fuzzy-search-for-splunk_11.tgz) ccd0707e18e6466f8a5a509a5e753ac6b0a310d8b0500636a5a175572c33b555 SHA256 checksum (fuzzy-search-for-splunk_10.tgz) e6d377b8ed4116910d2b17d10cd67db35c4dbb0142fed2377eb7e63dcffc1473
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Fuzzy Search for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
The goal of this app is to provide simple fuzzy matching to find lookalikes in a given dataset. For example, you could leverage this to search against process execution logs to find fuzzy matches for "svchost.exe" to highlight executions of "svch0st.exe" or "scvhost.exe".

Change Log

1.0

  • Initial Release

1.1

  • Minor changes to try to increase performance of the script
  • Verified app continued to function with splunk 6.5

1.2

  • Added searchbnf.conf
  • Added minor error checking in case a user provides a bad delim regex

1.2.1

  • No one told me there was an error in the script and I guess I didn't test it fully. Stupid typo. :(

1.2.2

  • I changed the default behavior of the script. If you don't want to specify a delimiter, it will no longer try to split the input. If a bad delimiter is given, it will default to a newline.

2.0

  • Migrated from intersplunk to the Splunk SDK for Python.
  • Updated fuzzywuzzy library to latest release
  • Updated readme file to markdown syntax
  • Verified compatibility with Splunk 7.0
  • Set option local = True to force the command to only run on the search head
  • Made a number of workflow improvements, trying to increase command performance.
  • Now only bothers to track the maximum ratio matched instead of also tracking the minimum.

2.0.1

  • Bug fixes to support multivalue input fields again

2.0.2

  • Documentation updates based on appinspect output.

2.0.3

  • Added appicon images for compatibility with certification.

2.0.4

  • Added user requested feature to supply a wordlist from a field in a given event
  • Confirmed compatibility with Splunk 7.1

2.0.5

  • Removed configuration to force command to run locally to support distributed streaming
  • Tested compatibility with Splunk 7.2

2.0.6

  • Updated fuzzywuzzy library to 0.17
  • Minor code update for future py3 compat
  • Tested compatibility with Splunk 7.3

Prerequisites

This search command is packaged with the following external libraries:
+ Splunk SDK for Python version 1.6.6 (http://dev.splunk.com/python)
+ FuzzyWuzzy 0.17.0 (https://github.com/seatgeek/fuzzywuzzy)

Nothing further is required for this add-on to function.

Installation

Follow standard Splunk installation procedures to install this app.

Reference: https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall
Reference: https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall

Usage

Using a static wordlist provided as input

| fuzzy wordlist="svchost.exe" type="simple" compare_field="tester" output_prefix="fuzz" delims="(\\\\)"
  • Wordlist is a comma separated list of words you want to check for fuzzy matches.
  • Type is the type of matching. Reference the library documentation, acceptable values are: simple, partial, token_sort, token_set
  • Compare_field defaults to _raw and is the field you want to do your fuzzy matching in.
  • Output_prefix defaults to 'fuzzywuzzy_'.
  • Delims accepts a regex string, escaped splunk style, and defaults to (\\\\|/|\s+|;|-)

Using a field based wordlist (Version 2.0.4 and later)

| fuzzy wordlist=Creator_Process_Name compare_field=New_Process_Name
  • Wordlist is a field that exists in each event containing a comma separated list of words
  • All other options are the same

Sample Use Cases / Searches

Look for process names similar to svchost.exe

eventtype=win_process_new New_Process_Name=* | fuzzy wordlist="svchost.exe" compare_field="New_Process_Name"

Search for Proxy Logs with domainms similar to your company

eventtype=proxy_logs domain=* | fuzzy wordlist="companydomain1.com,companydomain2.com,companydomain3.com" compare_field="domain"

Performance Considerations

There is a nested loop of death whereby the provided wordlist is split and the given input is split. You can improve your performance in the following ways:

  • Keep your wordlist to a minimum
  • Keep the regex splitting delimeters to a minimum
  • Try to filter data before passing it to this command (i.e. don't pass in useless junk)

I use this command in production and will continue to work on improvements but considering the looping that is done, it may always have performance issues.

How it works (basically):

  1. The wordlist is separated
  2. The comparison field is separated by the delimeter string provided
  3. The two are compared
  4. And add the following values to the event output:
  5. prefix_max_match_word
  6. prefix_max_match_ratio

The ratio will contain a value, 0 to 100, where 100 is a perfect match. The word values will contain what actually matched in the input/wordlist combination.

Support

If support is required or you would like to contribute to this project, please reference: https://gitlab.com/johnfromthefuture/TA-fuzzy. This app is supported by the developer as time allows.

Release Notes

Version 2.0.6
Aug. 1, 2019

## 2.0.6
+ Updated fuzzywuzzy library to 0.17
+ Minor code update for future py3 compat
+ Tested compatibility with Splunk 7.3

Version 2.0.5
Oct. 22, 2018

## 2.0.5
+ Removed configuration to force command to run locally to support distributed streaming
+ Tested compatibility with Splunk 7.2

Version 2.0.4
May 16, 2018

## 2.0.4
+ Added user requested feature to supply a wordlist from a field in a given event
+ Confirmed compatibility with Splunk 7.1

Version 2.0.3
March 10, 2018

+ Added appicon images for compatibility with certification.

Version 2.0.2
March 9, 2018

+ Documentation updates based on appinspect output.

Version 2.0.1
March 9, 2018

+ Bug fixes to support multivalue input fields again

Version 2.0
March 9, 2018

+ Migrated from intersplunk to the Splunk SDK for Python.
+ Updated fuzzywuzzy library to latest release
+ Updated readme file to markdown syntax
+ Verified compatibility with Splunk 7.0
+ Set option `local = True` to force the command to only run on the search head
+ Made a number of workflow improvements, trying to increase command performance.

Version 1.2.2
Nov. 12, 2016

Minor script modifications changing the regex splitting assumptions. If you now choose not to specify a "delimiter" to split up the input field, the script will no longer default to splitting that field. I did this for performance reasons allowing for the possibility to preprocess data before passing it to this script.

Version 1.2.1
Nov. 11, 2016

Version 1.2.1
I put in a bad try/except block typing try/else instead... Fixed.

Version 1.2
Oct. 2, 2016

- Adds minor error checking for a bad regex
- Adds searchbnf.conf for documentation and highlighting

Version 1.1
Oct. 2, 2016

- Minor changes to try to increase performance of the script
- Verified app continued to function with Splunk 6.5

Version 1.0
March 30, 2016

Version 1.0: Custom search command implementation of FuzzyWuzzy libraries. Reference: https://github.com/seatgeek/fuzzywuzzy

89
Installs
645
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.