https://community.splunk.com/t5/Splunk-Search/can-some-one-help-me-in-fixing-this/m-p/480950#M140427 <P>how might i incorporate regex into a like eval element in a search like this. This syntax does not work</P> <P>| eval product=case((signature LIKE "%Cipher%") OR (signature LIKE "%SMBv2 signing%") OR (signature LIKE "%Diffie-Hellman%") OR <BR /> (signature LIKE "%Weak Cryptographic%") OR (signature LIKE "%SHA-%") OR (signature LIKE "%SWEET32%") OR (signature LIKE "%TLS/SSL%") OR<BR /> (signature LIKE "%Certificate Is Invalid%") OR (signature LIKE "%protocol%"), "Cipher/Protocol/Cert", <BR /> signature LIKE "%Java%", "Java",<BR /> signature LIKE regex="[M][S][0-9][0-9][-][0-9][0-9][0-9]", "test",<BR /> signature LIKE "%Apache%", "Apache",<BR /> signature LIKE "%Apple%", "Apple",<BR /> signature LIKE "%Cisco%", "Cisco",<BR /> | search product=test<BR /> | dedup signature <BR /> | table signature product</P> Mon, 02 Mar 2020 07:33:48 GMT vikram1583 2020-03-02T07:33:48Z https://community.splunk.com/t5/Splunk-Search/can-some-one-help-me-in-fixing-this/m-p/480950#M140427 <P>how might i incorporate regex into a like eval element in a search like this. This syntax does not work</P> <P>| eval product=case((signature LIKE "%Cipher%") OR (signature LIKE "%SMBv2 signing%") OR (signature LIKE "%Diffie-Hellman%") OR <BR /> (signature LIKE "%Weak Cryptographic%") OR (signature LIKE "%SHA-%") OR (signature LIKE "%SWEET32%") OR (signature LIKE "%TLS/SSL%") OR<BR /> (signature LIKE "%Certificate Is Invalid%") OR (signature LIKE "%protocol%"), "Cipher/Protocol/Cert", <BR /> signature LIKE "%Java%", "Java",<BR /> signature LIKE regex="[M][S][0-9][0-9][-][0-9][0-9][0-9]", "test",<BR /> signature LIKE "%Apache%", "Apache",<BR /> signature LIKE "%Apple%", "Apple",<BR /> signature LIKE "%Cisco%", "Cisco",<BR /> | search product=test<BR /> | dedup signature <BR /> | table signature product</P> Mon, 02 Mar 2020 07:33:48 GMT https://community.splunk.com/t5/Splunk-Search/can-some-one-help-me-in-fixing-this/m-p/480950#M140427 vikram1583 2020-03-02T07:33:48Z https://community.splunk.com/t5/Splunk-Search/can-some-one-help-me-in-fixing-this/m-p/480951#M140428 <P>You're on the right track, but the format for <CODE>like</CODE> and <CODE>case</CODE> is wrong.</P> <PRE><CODE>| eval product=case(like(signature,"%Cipher%"), "Cipher/Protocol/Cert" , like(signature,"%Apache%"), "Apache",1=1,"Unknown") </CODE></PRE> <P>In full:</P> <PRE><CODE>|eval product=case( like(signature,"%Cipher%") , "Cipher/Protocol/Cert", like(signature,"%SMBv2 signing%"), "Cipher/Protocol/Cert", like(signature,"%Diffie-Hellman%") , "Cipher/Protocol/Cert", like(signature,"%Weak Cryptographic%"), "Cipher/Protocol/Cert", like(signature,"%SHA-%") , "Cipher/Protocol/Cert", like(signature,"%SWEET32%"), "Cipher/Protocol/Cert", like(signature,"%TLS/SSL%"), "Cipher/Protocol/Cert", like(signature,"%Certificate Is Invalid%"), "Cipher/Protocol/Cert", like(signature,"%protocol%"), "Cipher/Protocol/Cert", like(signature, "%Java%"), "Java", like(signature ,"%Apache%"), "Apache", like(signature , "%Apple%"), "Apple", like(signature ,"%Cisco%"), "Cisco", match(signature, "[M][S][0-9][0-9][-][0-9][0-9][0-9]"), "test", 1=1, "Unknown" ) | search product=test | dedup signature | table signature product </CODE></PRE> <P>Excessive carriage returns for clarity only</P> Mon, 02 Mar 2020 13:57:45 GMT https://community.splunk.com/t5/Splunk-Search/can-some-one-help-me-in-fixing-this/m-p/480951#M140428 nickhills 2020-03-02T13:57:45Z https://community.splunk.com/t5/Splunk-Search/can-some-one-help-me-in-fixing-this/m-p/480952#M140429 <P>Thank You </P> Mon, 02 Mar 2020 18:38:42 GMT https://community.splunk.com/t5/Splunk-Search/can-some-one-help-me-in-fixing-this/m-p/480952#M140429 vikram1583 2020-03-02T18:38:42Z