https://community.splunk.com/t5/Splunk-Search/How-do-I-use-an-eval-command-with-a-case-function-with-regex-to/m-p/407902#M117791 <P>Instead of using <CODE>like</CODE> in your <CODE>case</CODE> statement, use <CODE>match</CODE>. The <CODE>match</CODE> function accepts regular expressions. For example,</P> <P><CODE>eval Port_Flag= case(match(PORT_DESC,"PORT: BackPort:.*"), "Flag_NO", match(PORT_DESC,"PORT: .*? BackPort:.*"), "Flag_YES",1=1,"Other")</CODE></P> Fri, 30 Nov 2018 13:18:42 GMT richgalloway 2018-11-30T13:18:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-an-eval-command-with-a-case-function-with-regex-to/m-p/407901#M117790 <P>hi,</P> <P>I have a field PORT_DESC with the values as:<BR /> "somethings sdsa Device:XYZ PORT: 1.2.3 BackPort: 4.5.6 some other text"<BR /> "somethings Othertext Device: PORT: BackPort: some other text"<BR /> Now I need to define a Port_Flag separating these values as:</P> <PRE><CODE>eval Port_Flag= case(like(PORT_DESC,"%PORT: BackPort:%"), "Flag_NO",like(PORT_DESC,"%PORT: 1.2.3 BackPort:%"),"Flag_YES",1=1,"Other") </CODE></PRE> <P>However, the Port value can be anything such as 1.2.3 or CRMT or vw3d. </P> <P>How can I separate these values where either no Port value is given or some value is assigned? Any regular expression will also be a great help, which can define </P> <PRE><CODE>PORT:[Anything 0-9 or A-Z or a-z $%&amp;/()] BackPort: </CODE></PRE> <P>Thanks in advance.</P> Tue, 29 Sep 2020 22:09:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-an-eval-command-with-a-case-function-with-regex-to/m-p/407901#M117790 Chandras11 2020-09-29T22:09:38Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-an-eval-command-with-a-case-function-with-regex-to/m-p/407902#M117791 <P>Instead of using <CODE>like</CODE> in your <CODE>case</CODE> statement, use <CODE>match</CODE>. The <CODE>match</CODE> function accepts regular expressions. For example,</P> <P><CODE>eval Port_Flag= case(match(PORT_DESC,"PORT: BackPort:.*"), "Flag_NO", match(PORT_DESC,"PORT: .*? BackPort:.*"), "Flag_YES",1=1,"Other")</CODE></P> Fri, 30 Nov 2018 13:18:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-an-eval-command-with-a-case-function-with-regex-to/m-p/407902#M117791 richgalloway 2018-11-30T13:18:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-an-eval-command-with-a-case-function-with-regex-to/m-p/407903#M117792 <P>Thanks for the info. However, .*? take everything. How can I remove not 1 but any number fo space characters there? </P> Fri, 30 Nov 2018 13:42:39 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-an-eval-command-with-a-case-function-with-regex-to/m-p/407903#M117792 Chandras11 2018-11-30T13:42:39Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-an-eval-command-with-a-case-function-with-regex-to/m-p/407904#M117793 <P>Try: PORT: [^ ]+ BackPort:</P> Fri, 30 Nov 2018 15:26:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-an-eval-command-with-a-case-function-with-regex-to/m-p/407904#M117793 whrg 2018-11-30T15:26:25Z https://community.splunk.com/t5/Splunk-Search/How-do-I-use-an-eval-command-with-a-case-function-with-regex-to/m-p/407905#M117794 <P><CODE>.*?</CODE> is non-greedy and should stop at " BackPort". <CODE>\S+</CODE> is an alterative (perhaps a better one).</P> Fri, 30 Nov 2018 17:55:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-use-an-eval-command-with-a-case-function-with-regex-to/m-p/407905#M117794 richgalloway 2018-11-30T17:55:44Z