https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350899#M103873 <P>@kmaron, to mark this question as answered, please accept the answer if this has helped.</P> Fri, 20 Apr 2018 12:16:59 GMT niketn 2018-04-20T12:16:59Z https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350893#M103867 <P>I've figured out how to use the match condition to use a wildcard in my eval, however now I need to put at NOT with it and I'm stuck. </P> <P>I have this which works</P> <PRE><CODE>| eval NewDocType = case(match(Indexer,"ID*"),Document_Type) </CODE></PRE> <P>But now I need the opposite where Indexer does NOT start with ID* to fill the field OriginalDocType with the Document_Type</P> Thu, 19 Apr 2018 20:24:21 GMT https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350893#M103867 kmaron 2018-04-19T20:24:21Z https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350894#M103868 <P>Just do like this</P> <PRE><CODE>| eval NewDocType = case(NOT match(Indexer,"^ID"),Document_Type) </CODE></PRE> <P>With match you can do partial match, no wildcard required. It actually uses regular expression (not like search wildcard), so your current expression will match all Indexer with which have <CODE>ID*</CODE> (0 or more occurrence of alphabet D)</P> Thu, 19 Apr 2018 20:49:12 GMT https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350894#M103868 somesoni2 2018-04-19T20:49:12Z https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350895#M103869 <P>@kmaron, try the following match condition for finding <CODE>indexers not starting with ID</CODE>:</P> <PRE><CODE>| eval OriginalDocType=case(match(indexer,"^(?!^ID).*"),DocumentType) </CODE></PRE> <P>Following is a run anywhere example.</P> <PRE><CODE>| makeresults | fields - _time | eval indexer="ID3489724,SID203984,IDKJERH897,ADID90842ID" | makemv indexer delim="," | mvexpand indexer | eval DocumentType="Test" | eval OriginalDocType=case(match(indexer,"^(?!^ID).*"),DocumentType) </CODE></PRE> Thu, 19 Apr 2018 21:58:09 GMT https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350895#M103869 niketn 2018-04-19T21:58:09Z https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350896#M103870 <P>It seems so simple to just stick a NOT in there. Thank you for explaining about match! </P> Fri, 20 Apr 2018 11:55:07 GMT https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350896#M103870 kmaron 2018-04-20T11:55:07Z https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350897#M103871 <P>When I ran this your way and then with the NOT that @somesoni2 mentioned the NOT came out a tiny bit faster but it's extremely fast in my tiny search anyway so the difference is negligible. Do you know which one would be more efficient? </P> Fri, 20 Apr 2018 11:57:07 GMT https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350897#M103871 kmaron 2018-04-20T11:57:07Z https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350898#M103872 <P>@kmaron Use Job Inspector with some significant amount of data to test out the performance.</P> Fri, 20 Apr 2018 12:16:11 GMT https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350898#M103872 niketn 2018-04-20T12:16:11Z https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350899#M103873 <P>@kmaron, to mark this question as answered, please accept the answer if this has helped.</P> Fri, 20 Apr 2018 12:16:59 GMT https://community.splunk.com/t5/Splunk-Search/eval-match-with-NOT-condition/m-p/350899#M103873 niketn 2018-04-20T12:16:59Z