https://community.splunk.com/t5/Splunk-Search/Case-with-multiple-potential-wildcard-matches/m-p/556573#M158071 <P>I have a field with error messages that I need a case statement to cleanup for reporting. In this case some of the messages contain ID's which make the report long as each error has a unique ID. I want to lean this up by using something like</P><LI-CODE lang="markup">eval error=case(like(error, "%DB Error"), "Database error", like(error, "%network Error", "Network Error"))... Etc.</LI-CODE><P>I am not getting the matches that I should be getting with this though, still the full errors are showing. Is there a better way to accomplish this?</P> Mon, 21 Jun 2021 19:06:48 GMT aohls 2021-06-21T19:06:48Z https://community.splunk.com/t5/Splunk-Search/Case-with-multiple-potential-wildcard-matches/m-p/556573#M158071 <P>I have a field with error messages that I need a case statement to cleanup for reporting. In this case some of the messages contain ID's which make the report long as each error has a unique ID. I want to lean this up by using something like</P><LI-CODE lang="markup">eval error=case(like(error, "%DB Error"), "Database error", like(error, "%network Error", "Network Error"))... Etc.</LI-CODE><P>I am not getting the matches that I should be getting with this though, still the full errors are showing. Is there a better way to accomplish this?</P> Mon, 21 Jun 2021 19:06:48 GMT https://community.splunk.com/t5/Splunk-Search/Case-with-multiple-potential-wildcard-matches/m-p/556573#M158071 aohls 2021-06-21T19:06:48Z https://community.splunk.com/t5/Splunk-Search/Case-with-multiple-potential-wildcard-matches/m-p/556586#M158074 <P>You could try using match something like this</P><LI-CODE lang="markup">eval error=case(match(error, "DB Error"), "Database error", match(error, "network Error"), "Network Error")... Etc.</LI-CODE> Mon, 21 Jun 2021 21:15:53 GMT https://community.splunk.com/t5/Splunk-Search/Case-with-multiple-potential-wildcard-matches/m-p/556586#M158074 ITWhisperer 2021-06-21T21:15:53Z https://community.splunk.com/t5/Splunk-Search/Case-with-multiple-potential-wildcard-matches/m-p/556689#M158104 <P>I should add that there are two fields I need to try to use. There is a error code and error description and the description has an id in it, so it could be "Database Error: 1234" and another is "Database Code: 3214". I want to combine these to just be "Database Error".</P> Tue, 22 Jun 2021 13:26:07 GMT https://community.splunk.com/t5/Splunk-Search/Case-with-multiple-potential-wildcard-matches/m-p/556689#M158104 aohls 2021-06-22T13:26:07Z https://community.splunk.com/t5/Splunk-Search/Case-with-multiple-potential-wildcard-matches/m-p/556696#M158106 <P>Since match uses regex, you can combine them so long as you can define a regex expression.</P><LI-CODE lang="markup">| makeresults | eval _raw="message Database Error: 1234 other message Database Code: 3214" | multikv noheader=t | eval error=case(match(_raw,"Database (Error|Code): \d+"),"Database Error",1==1,"Other Error") | table _raw error</LI-CODE> Tue, 22 Jun 2021 13:43:32 GMT https://community.splunk.com/t5/Splunk-Search/Case-with-multiple-potential-wildcard-matches/m-p/556696#M158106 ITWhisperer 2021-06-22T13:43:32Z