topic Re: How can I search for a particular string in a larger string? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381304#M166649 <P>Thank you thank you thank you thank you thank you!!!!</P> <P>Marry me!</P> Fri, 09 Nov 2018 18:58:44 GMT moizmmz 2018-11-09T18:58:44Z How can I search for a particular string in a larger string? https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381302#M166647 <P>I am running the following query:</P> <PRE><CODE>index=uplynk slice_played | rex field=_raw "^(?&lt;date&gt;\S*)\s*(?&lt;time&gt;\S*)\s*(?&lt;slice_played&gt;\S*)\s*(?&lt;assetID&gt;\S*)\s*(?&lt;sliceNumber&gt;\S*)\s*(?&lt;isLive&gt;\S*)\s*(?&lt;userIP&gt;\S*)\s*(?&lt;playerUserAgent&gt;\S*)\s*(?&lt;referrerURL&gt;\S*)\s*(?&lt;externalUserID&gt;\S*)\s*(?&lt;sessionID&gt;\S*)\s*(?&lt;playingOwnerID&gt;\S*)\s*(?&lt;channelID&gt;\S*)\s*(?&lt;eventID&gt;\S*)\s*(?&lt;duration&gt;\S*)" | dedup channelID | search isLive=1 | stats values(playerUserAgent) </CODE></PRE> <P>And I get the following values for the newly created field playerUserAgent:</P> <PRE><CODE>- AppleCoreMedia%20/%201.0.0.12B411%20(iPhone;%20U;%20CPU%20OS%208_1%20like%20Mac%20OS%20X;%20en_us) AppleCoreMedia/1.0.0.12H606%20(Apple%20TV;%20U;%20CPU%20OS%208_4_2%20like%20Mac%20OS%20X;%20en_us) AppleCoreMedia/1.0.0.16A404%20(iPad;%20U;%20CPU%20OS%2012_0_1%20like%20Mac%20OS%20X;%20en_us) AppleCoreMedia/1.0.0.16J602%20(Apple%20TV;%20U;%20CPU%20OS%2012_1%20like%20Mac%20OS%20X;%20en_us) AppleCoreMedia/1.0.0.18A391%20(Macintosh;%20U;%20Intel%20Mac%20OS%20X%2010_14;%20en_us) Dalvik/2.1.0%20(Linux;%20U;%20Android%208.0.0;%20SM-J337P%20Build/R16NW)%20FOX%20NOW/3.10.2 Lavf/57.83.100 Mozilla/5.0%20(Linux;%20Android%205.1.1;%20AFTT%20Build/LVY48F;%20wv)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Version/4.0%20Chrome/59.0.3071.125%20Mobile%20Safari/537.36 Mozilla/5.0%20(Linux;%20Android%207.1.2;%20AFTN%20Build/NS6255;%20wv)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Version/4.0%20Chrome/59.0.3071.125%20Mobile%20Safari/537.36 Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/70.0.3538.77%20Safari/537.36 Mozilla/5.0%20(X11;%20Linux%20armv7l)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/66.0.3359.120%20Safari/537.36%20CrKey/1.32.124602 Mozilla/5.0%20(X11;%20Linux%20armv7l)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/69.0.3497.86%20Safari/537.36%20CrKey/1.35.137090 Mozilla/5.0%20(X11;%20Linux%20i686)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/29.0.1547.57%20Safari/537.36 Mozilla/5.0%20(X11;%20Linux%20x86_64;%20rv:28.0)%20Gecko/20100101%20Firefox/28.0 Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%207_1%20like%20Mac%20OS%20X)%20AppleWebKit/537.51.2%20(KHTML,%20like%20Gecko)%20Version/7.0%20Mobile/11D167%20Safari/9537.53%20Witbe Roku/DVP-8.10%20(048.10E04145A) Roku/DVP-8.10%20(098.10E04131A) Roku/DVP-8.10%20(288.10E04155A) Roku/DVP-8.10%20(558.10E04145A) Roku/DVP-8.20%20(088.20E04167A) Roku/DVP-9.0%20(559.00E04052A) </CODE></PRE> <P>I'm aiming to create a new field called 'devicetype' which shows the following:<BR /> Roku<BR /> iOS<BR /> Android and so on</P> <P>So maybe I can use a search match or something..where if I find the word Roku in the string..I can put it under 'Roku'</P> <P>Pls help!</P> Fri, 09 Nov 2018 17:39:09 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381302#M166647 moizmmz 2018-11-09T17:39:09Z Re: How can I search for a particular string in a larger string? https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381303#M166648 <P>You could do an eval like this:</P> <PRE><CODE>| eval devicetype = case(like(playerUserAgent, "%Roku%"), "Roku", like(playerUserAgent, "%iOS%"), "iOS", like(playerUserAgent, "%Android%"), "Android", 1=1,"Other") </CODE></PRE> Fri, 09 Nov 2018 18:23:03 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381303#M166648 kmaron 2018-11-09T18:23:03Z Re: How can I search for a particular string in a larger string? https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381304#M166649 <P>Thank you thank you thank you thank you thank you!!!!</P> <P>Marry me!</P> Fri, 09 Nov 2018 18:58:44 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381304#M166649 moizmmz 2018-11-09T18:58:44Z Re: How can I search for a particular string in a larger string? https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381305#M166650 <P>Did EXACTLY what I wanted!</P> Fri, 09 Nov 2018 18:59:33 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381305#M166650 moizmmz 2018-11-09T18:59:33Z Re: How can I search for a particular string in a larger string? https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381306#M166651 <P>you are very welcome! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Fri, 09 Nov 2018 19:06:43 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381306#M166651 kmaron 2018-11-09T19:06:43Z Re: How can I search for a particular string in a larger string? https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381307#M166652 <P>What does the % inside the double quotes signify?</P> Fri, 09 Nov 2018 19:27:58 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381307#M166652 moizmmz 2018-11-09T19:27:58Z Re: How can I search for a particular string in a larger string? https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381308#M166653 <P>its a wildcard (much like you're used to using *)</P> Fri, 09 Nov 2018 19:28:54 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381308#M166653 kmaron 2018-11-09T19:28:54Z Re: How can I search for a particular string in a larger string? https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381309#M166654 <P>Cool! thanks..</P> Fri, 09 Nov 2018 22:04:46 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-search-for-a-particular-string-in-a-larger-string/m-p/381309#M166654 moizmmz 2018-11-09T22:04:46Z