topic Re: Wildcard expansion in case statement in Splunk Search

Wildcard expansion in case statement

clashley — Mon, 28 Sep 2020 12:04:31 GMT

I'll start with what works: If I do a search

ERROR host="foobar0*"

The wildcard(*) expands and I get a list of results with extracted 'host' fields with "foobar01", "foobar02", "foobar03", etc. This is good.

Now I want to create a case statement which does this same search as one of the options. What I'm entering is

ERROR | eval host=case($env$=1,"foobar0*",$env$=2,"barfoo0*")

But that doesn't do the same wildcard expansion. All my host fields are "foobar0*" and I can't tell which actual host they are coming from. Is there a way to make this wildcard expansion work when it is returned from an 'eval' expression?

Re: Wildcard expansion in case statement

lguinn2 — Thu, 12 Jul 2012 22:12:19 GMT

The wildcard is supported for the search command only. The eval command and the where command do not support the wildcard -- plus, eval and where are case-sensitive. search is not case-sensitive.

I suggest that you use the match function of eval as the conditional argument in the case function.

[Updated to remove paragraph about == vs. = in the case function - they are interchangeable for an equality test.]

Examples:

ERROR | eval host=case(x==1,"foobar0",y==2,"barfoo0")

ERROR | eval startsWithX = if(match(host,"^X.*"),"Yes","no")

But I don't think I really understand your statement "I want to create a case statement which does this same search as one of the options". A case statement does not do a search - it sets the value of a variable.

What exactly are you trying to do? A little more context would help.

Re: Wildcard expansion in case statement

clashley — Thu, 12 Jul 2012 23:08:22 GMT

Thank you for your response, I'll try to clear things up - I do not wish to do comparison in my case statement using wildcards. I'm happy to do simple numerical comparison. What I want is to be able to perform two different searches depending on my token $env$.

So if $env$ is 1, I want to perform the search "ERROR host="foobar0*""

If $env$ is 2, I want to perform the search "ERROR host="barfoo0*""

I am trying to accomplish this with a case statement:

ERROR | eval host=case($env$==1,"foobar0*",$env$==2,"barfoo0*")

but it is not working

Re: Wildcard expansion in case statement

lguinn2 — Fri, 13 Jul 2012 18:40:44 GMT

AFAIK, that is not possible in the Splunk GUI. THe Splunk GUI does not recognize environment variables.

You could write a script that tests the environment variable and then launches the appropriate script, using the Splunk Command Line Interface (CLI).

Re: Wildcard expansion in case statement

clashley — Fri, 13 Jul 2012 20:35:09 GMT

I should be more clear, $env$ is not an environment variable. It is a token set through an earlier statement

Select Environment
foobar
barfoo

Re: Wildcard expansion in case statement

lguinn2 — Fri, 13 Jul 2012 22:51:23 GMT

Why not do it this way?

<input type="dropdown" token="env">
 <label>Select Environment</label>
 <choice value="foobar0*">foobar</choice>
 <choice value="barfoo0">barfoo</choice>
</input>

Then your search should be

ERROR host=$env$

The chosen value will be substituted; it should work.

Update: for the example below, where you want to drive multiple searches from a single selection box:

<input type="dropdown" token="env">
 <label>Select Environment</label>
 <choice value="ca">California</choice>
 <choice value="fl">Florida</choice>
</input>

Search 1 is:

error host="$env$_linux"

Search 2 is:

error host="$env$_solaris"

Re: Wildcard expansion in case statement

clashley — Mon, 28 Sep 2020 12:06:12 GMT

That does work, but I want to spawn multiple searches from a single pulldown. So lets say I have server farms in two states

Select Environment
California
Florida

In one panel I want to show the errors on the linux servers

ERROR | eval host=case($env$=1,"ca_linux*",$env$=2,"fl_linux*")

In the next panel, I want to show the errors on the solaris servers

ERROR | eval host=case($env$=1,"ca_solaris*",$env$=2,"fl_solaris*")

Re: Wildcard expansion in case statement

lguinn2 — Tue, 17 Jul 2012 06:55:48 GMT

Okay, your case statement might actually assign the value that you want to the host variable, but it doesn't search for hosts that match that value.

You would have to do something like this instead:

ERROR | eval hostMatch=case($env$=1,"ca_linux",$env$=2,"fl_linux") | where host=hostMatch

Also see updated answer above.

Re: Wildcard expansion in case statement

clashley — Thu, 09 Aug 2012 18:43:34 GMT

For the benefit of anyone looking at this, I solved my problem in a completely different way. I put the entire search string in the pulldown

Select Environment
foobar
barfoo

Then my search string is "source=/var/logs/data.log" | search $serverList$"

It would be painful for dozens of servers, but I have from 1 to 8 per environment. It's manageable

Re: Wildcard expansion in case statement

stanwin — Mon, 13 Feb 2017 16:41:25 GMT

index=main sourcetype=email address= | eval domain=case(address LIKE "%gmail.com", "GMAIL", address LIKE "%yahoo.com", "YAHOO",address LIKE "%hotmail.com","HOTMAIL")* | stats count by domain

(% is the wildcard)

From:
https://answers.splunk.com/answers/170602/how-would-i-use-eval-with-a-wildcard-to-create-a-c.html