https://community.splunk.com/t5/Splunk-Search/Using-like-in-a-case-statement-not-working/m-p/91072#M23435 <P>Hey everyone. I am working with telephone records, and am trying to work around Splunk's inability to search for literal asterisks(*). To work around I am using a regex to select only records starting with * or #, and then I am trying to use a case statement in eval to figure out what type of feature is being used by our customer.</P> <P>Example values of MYSOURCEFIELD (not exhaustive): *67, #31, *82</P> <P>Here is the search currently, it only searches for the first 2 cases:</P> <PRE><CODE>index=MYSOURCE|regex MYSOURCEFIELD="(\*|#)(31|67|82|65|77|87)"|eval Feature_Code=case(like(MYSOURCEFIELD,"%31"),"Caller ID Blocking Per Line",like(MYSOURCEFIELD,"%67"),"Caller ID Blocking Per Call")|table Feature_Code </CODE></PRE> <P>This returns nothing, even though I know a significant number of both are being utilized and can even be seen without the eval/case statement. Any suggestions on how to make the case statement work would be really appreciated, thank you.</P> Tue, 13 Mar 2012 19:14:48 GMT msarro 2012-03-13T19:14:48Z https://community.splunk.com/t5/Splunk-Search/Using-like-in-a-case-statement-not-working/m-p/91072#M23435 <P>Hey everyone. I am working with telephone records, and am trying to work around Splunk's inability to search for literal asterisks(*). To work around I am using a regex to select only records starting with * or #, and then I am trying to use a case statement in eval to figure out what type of feature is being used by our customer.</P> <P>Example values of MYSOURCEFIELD (not exhaustive): *67, #31, *82</P> <P>Here is the search currently, it only searches for the first 2 cases:</P> <PRE><CODE>index=MYSOURCE|regex MYSOURCEFIELD="(\*|#)(31|67|82|65|77|87)"|eval Feature_Code=case(like(MYSOURCEFIELD,"%31"),"Caller ID Blocking Per Line",like(MYSOURCEFIELD,"%67"),"Caller ID Blocking Per Call")|table Feature_Code </CODE></PRE> <P>This returns nothing, even though I know a significant number of both are being utilized and can even be seen without the eval/case statement. Any suggestions on how to make the case statement work would be really appreciated, thank you.</P> Tue, 13 Mar 2012 19:14:48 GMT https://community.splunk.com/t5/Splunk-Search/Using-like-in-a-case-statement-not-working/m-p/91072#M23435 msarro 2012-03-13T19:14:48Z https://community.splunk.com/t5/Splunk-Search/Using-like-in-a-case-statement-not-working/m-p/91073#M23436 <P>Were you able to do this in steps, first evaluating your data -<BR /> index = my_source - did return some events,<BR /> index = my_source | regex my_source_field="(*|#)(31|67|82|65|77|87)" - did populate the field my_source_field,<BR /> then if that is the case, try adding the following<BR /> | eval feature_code = case(my_source_field like "%31%","Caller ID Blocking Per Line",my_source_field like "%67%","Caller ID Blocking Per Call") | table feature_code</P> Mon, 28 Sep 2020 11:34:10 GMT https://community.splunk.com/t5/Splunk-Search/Using-like-in-a-case-statement-not-working/m-p/91073#M23436 schava 2020-09-28T11:34:10Z https://community.splunk.com/t5/Splunk-Search/Using-like-in-a-case-statement-not-working/m-p/91074#M23437 <P>Your example definitely helped me get case working with like.</P> Fri, 06 Apr 2018 13:00:11 GMT https://community.splunk.com/t5/Splunk-Search/Using-like-in-a-case-statement-not-working/m-p/91074#M23437 Nextbeat 2018-04-06T13:00:11Z