https://community.splunk.com/t5/Splunk-Search/How-to-do-something-like-if-two-of-more-of-s1-s2-s3-in-URL-and/m-p/643850#M223047 <P>i have tried the sql like method</P><DIV class=""><DIV class=""><P>how do i do something like if two or more of ( s1,s2,s3 ) in URL, and count of symbol &gt; 2 in url?</P></DIV></DIV><DIV class=""><DIV class=""><DIV class=""><DIV>&nbsp;</DIV></DIV><DIV class=""><DIV><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV> Fri, 19 May 2023 03:04:40 GMT bluewizard 2023-05-19T03:04:40Z https://community.splunk.com/t5/Splunk-Search/How-to-do-something-like-if-two-of-more-of-s1-s2-s3-in-URL-and/m-p/643846#M223044 <P>.... url = "abc-jjjj-j-xyz.exmaple.come"<BR />|eval s1 = abc<BR />|eval s2 = efg<BR />|eval s3 = xyz<BR />|eval symbol ="-"</P> <P>how do i do something like if two of more of ( s1,s2,s3 ) in URL, and symbol count &gt; 2 in url?</P> Fri, 19 May 2023 12:18:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-something-like-if-two-of-more-of-s1-s2-s3-in-URL-and/m-p/643846#M223044 bluewizard 2023-05-19T12:18:32Z https://community.splunk.com/t5/Splunk-Search/How-to-do-something-like-if-two-of-more-of-s1-s2-s3-in-URL-and/m-p/643849#M223046 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256861">@bluewizard</a>&nbsp;<BR /><BR />Here is a run anywhere example showing a few different methods you could use...</P><P>&nbsp;</P><LI-CODE lang="markup">|makeresults | eval url="abc-jjjj-j-xyz.exmaple.come" ,s1=if(match(url, "abc"), "true", "false") ``` regex ``` ,s2=if(match(url, "efg"), "true", "false") ,s3=if(like(url, "%xyz%"), "true", "false") ``` more SQL like ``` ,s4=if(searchmatch("url=*jjjj*"), "true", "false") ``` probably the least efficient method depending on the base seach ```</LI-CODE><P>&nbsp;</P><P>Here's the latest Splunk docs on eval functions, too.<BR /><BR /><A href="https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/CommonEvalFunctions#Alphabetical_list_of_functions" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/CommonEvalFunctions#Alphabetical_list_of_functions&nbsp;</A></P><P>Hope that helps</P> Fri, 19 May 2023 02:47:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-something-like-if-two-of-more-of-s1-s2-s3-in-URL-and/m-p/643849#M223046 yeahnah 2023-05-19T02:47:30Z https://community.splunk.com/t5/Splunk-Search/How-to-do-something-like-if-two-of-more-of-s1-s2-s3-in-URL-and/m-p/643850#M223047 <P>i have tried the sql like method</P><DIV class=""><DIV class=""><P>how do i do something like if two or more of ( s1,s2,s3 ) in URL, and count of symbol &gt; 2 in url?</P></DIV></DIV><DIV class=""><DIV class=""><DIV class=""><DIV>&nbsp;</DIV></DIV><DIV class=""><DIV><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV> Fri, 19 May 2023 03:04:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-something-like-if-two-of-more-of-s1-s2-s3-in-URL-and/m-p/643850#M223047 bluewizard 2023-05-19T03:04:40Z https://community.splunk.com/t5/Splunk-Search/How-to-do-something-like-if-two-of-more-of-s1-s2-s3-in-URL-and/m-p/643851#M223048 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256861">@bluewizard</a>&nbsp;</P><P>Something like this would work.&nbsp;&nbsp;</P><LI-CODE lang="markup">|makeresults | eval url="abc-jjjj-j-xyz.exmaple.come" ,s1=if(match(url, "abc"), 1, 0) ``` regex ``` ,s2=if(match(url, "efg"), 1, 0) ,s3=if(like(url, "%xyz%"), 1, 0) ``` more SQL like ``` ,s4=if(searchmatch("url=*jjjj*"), 1, 0) ``` probably the least efficient method depending on the base seach ``` | addtotals label=s* fieldname="symbol_count" | where symbol_count&gt;2</LI-CODE><P>&nbsp;As the original question has been answered you should make this answer as solution provided.<BR /><BR />Karma would also be appreciated too.<BR /><BR />Hope that helps</P> Fri, 19 May 2023 03:16:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-something-like-if-two-of-more-of-s1-s2-s3-in-URL-and/m-p/643851#M223048 yeahnah 2023-05-19T03:16:59Z