https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48835#M11674 <P>HURA you are brilliant thanks</P> Wed, 11 Jan 2012 21:00:47 GMT hartfoml 2012-01-11T21:00:47Z https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48833#M11672 <P>Here is what I am using:</P> <PRE><CODE>| eval siteName = case (Destination_IP == "199.47.*", dropbox.com) </CODE></PRE> <P>I have tried everything and it is not working. Do you think it is because of the numbers "199.47.*"?</P> Wed, 11 Jan 2012 19:42:46 GMT https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48833#M11672 hartfoml 2012-01-11T19:42:46Z https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48834#M11673 <PRE><CODE>| eval siteName = case(match(Destination_IP, "^199\.47\..*$"), "dropbox.com") </CODE></PRE> Wed, 11 Jan 2012 20:47:53 GMT https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48834#M11673 imrago 2012-01-11T20:47:53Z https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48835#M11674 <P>HURA you are brilliant thanks</P> Wed, 11 Jan 2012 21:00:47 GMT https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48835#M11674 hartfoml 2012-01-11T21:00:47Z https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48836#M11675 <P>Opps the match doesn't seem to work in case<BR /> '| eval siteName = case(match(Destination_IP, "^199.47..<EM>$"), "dropbox.com",match(Destination_IP, "^85.17.30.</EM>$"), "megadownload.net",match(Destination_IP, "^195.122.131.*$"), "rapidshare.com")'</P> Mon, 28 Sep 2020 10:18:13 GMT https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48836#M11675 hartfoml 2020-09-28T10:18:13Z https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48837#M11676 <P>the second argument of match function is a regex and "^199.47..$" in you example is not equal with "^199.47..*$" as I had suggested</P> <P><A href="http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/">http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/</A></P> Wed, 11 Jan 2012 21:58:41 GMT https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48837#M11676 imrago 2012-01-11T21:58:41Z https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48838#M11677 <P>OK I think I understand well not relay</P> <P>So if I want to use case to get a variable named siteName and I have three possible sites identified by three possible IP’s I would normally use this</P> <P>'| eval siteName = case (Destination_IP == "199.47.<EM>”, dropbox.com, Destination_IP == “85.17.30.</EM>", megadownload.net, Destination_IP == "195.122.131.*", rapidshare.com)'</P> <P>But this isn’t working and the multiple matches are not working. Do you have any other suggestions for CASE</P> Mon, 28 Sep 2020 10:18:16 GMT https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48838#M11677 hartfoml 2020-09-28T10:18:16Z https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48839#M11678 <P>I see now, / characters where removed</P> Wed, 11 Jan 2012 23:19:01 GMT https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48839#M11678 imrago 2012-01-11T23:19:01Z https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48840#M11679 <PRE><CODE>| eval siteName = case(match(Destination_IP,"^199\.47\..*”), "dropbox.com", match(Destination_IP,“^85\.17\.30\..*"), "megadownload.net", match(Destination_IP,"^195\.122\.131\..*"), "rapidshare.com") </CODE></PRE> Wed, 11 Jan 2012 23:21:54 GMT https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48840#M11679 imrago 2012-01-11T23:21:54Z https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48841#M11680 <P>This is the real answer. thanks this fixed the issue. you are a regex guru. thanks again</P> Thu, 12 Jan 2012 22:18:13 GMT https://community.splunk.com/t5/Splunk-Search/Having-Trouble-With-CASE/m-p/48841#M11680 hartfoml 2012-01-12T22:18:13Z