topic Re: How to use wildcard in case like condition? in Splunk Search

How to use wildcard in case like condition?

karthi2809 — Mon, 11 Mar 2024 10:44:20 GMT

Hi Guys, Thanks in Advance. So i have case conditions to be match in my splunk query.below the message based on correlationID.I want to show JobType and status. In status i added case like to match the conditions with message field.For the all three environment the message would be same but the environment name only differe.I added all the three in case. So how can we use wildcard in the case statement or any other different solutions to shorten the query.

(message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur")

(message="onDemand Flow for concur Expense Report file with FileID Started") OR (message="Exchange Rates Scheduler process started") OR (message="Exchange Rates Process Completed. File successfully sent to Concur*") OR (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates Interface Run Report - Concur")|transaction correlationId| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.payload.TargetFileName as TargetFileName | eval JobType=case(like('message',"%onDemand Flow for concur Expense Report file with FileID Started%"), "OnDemand",like('message',"%Exchange Rates Scheduler process started%"),"Scheduled", true() , "Unknown") | eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS", like('message',"%TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur"%"),"SUCCESS",like('TracePoint',"%EXCEPTION%"),"ERROR")

Re: How to use wildcard in case like condition?

richgalloway — Mon, 11 Mar 2024 16:18:09 GMT

The case function does not support wildcards natively, but you can use them in like (as you have) or you can use the equivalent regular expression using match.

| eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS", match('message',"(TEST|DEV|PRD)\(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur"),"SUCCESS", like('TracePoint',"%EXCEPTION%"),"ERROR")

Re: How to use wildcard in case like condition?

karthi2809 — Mon, 11 Mar 2024 15:35:46 GMT

@richgalloway Its not working

Re: How to use wildcard in case like condition?

richgalloway — Mon, 11 Mar 2024 16:18:50 GMT

"its not working" doesn't tell me what's wrong so it's hard to offer a fix. It's possible, however, the regex needs improvement. Please try my updated answer.

Re: How to use wildcard in case like condition?

karthi2809 — Tue, 12 Mar 2024 12:39:13 GMT

Hi @richgalloway

As you mentioned match condition in case statement.let me share the query.If i use match i am not getting the Status field

index="mule" applicationName="api" environment=DEV timestamp (message="onDemand Flow for concur Expense Report file with FileID Started") OR (message="Exchange Rates Scheduler process started") OR (message="Exchange Rates Process Completed. File successfully sent to Concur*") OR (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates Interface Run Report - Concur")|transaction correlationId| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.payload.TargetFileName as TargetFileName | eval JobType=case(like('message',"%onDemand Flow for concur Expense Report file with FileID Started%"),"OnDemand",like('message',"%Exchange Rates Scheduler process started%"),"Scheduled", true() , "Unknown") | eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS",match('message',"%(TEST|DEV|PRD)(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS",like('TracePoint',"%EXCEPTION%"),"ERROR") |eventstats min(Timestamp) AS Start_Time, max(Timestamp) AS End_Time by CorrelationId | eval StartTime=round(strptime(Start_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval EndTime=round(strptime(End_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval ElapsedTimeInSecs=EndTime-StartTime | eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S") |rename Start_Time as Timestamp | table Status JobType ElapsedTimeInSecs "Total Elapsed Time" Timestamp CorrelationId message TargetFileName

Re: How to use wildcard in case like condition?

richgalloway — Tue, 12 Mar 2024 13:24:34 GMT

The match function treats "%" as a literal character rather than as a wildcard. Instead, match uses regular expressions. Remove the "%" from the match string and you should get a status value.