https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118624#M31691 <P>I don't understand exactly what you need but surely it is something like this:</P> <PRE><CODE>| rex field=Name "(?i)pvms(?&lt;Physical_Host_Type&gt;\d+)" </CODE></PRE> Wed, 20 May 2015 21:10:11 GMT woodcock 2015-05-20T21:10:11Z https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118623#M31690 <P>This field is called 'Name' and contains around 10000 sever names, I am trying to use an eval formula to create a column to identify the vpvms of the following server name nadcvpvms04b.hca.corpad.net<BR /><BR /> I am a very new Splunk user I have tried everything and for the life of me can not get this to work and I am sure it is something easy.<BR /> This is what I have so far</P> <P>The case statement I tried</P> <PRE><CODE>| eval Physical Host Type=case(match(Name,"(?i)\p{Ll}vpvms"),"ESX Host") </CODE></PRE> <P>and the if statement I tried</P> <PRE><CODE>| eval Physical Host Type=if(match(Name,"(?i)\p{Ll}vpvms"),"ESX Host","") </CODE></PRE> Wed, 20 May 2015 21:04:24 GMT https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118623#M31690 jhayIV 2015-05-20T21:04:24Z https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118624#M31691 <P>I don't understand exactly what you need but surely it is something like this:</P> <PRE><CODE>| rex field=Name "(?i)pvms(?&lt;Physical_Host_Type&gt;\d+)" </CODE></PRE> Wed, 20 May 2015 21:10:11 GMT https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118624#M31691 woodcock 2015-05-20T21:10:11Z https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118625#M31692 <P>I think it is easier then you think.</P> <PRE><CODE>| eval Physical_Host_Type = case(match(Name,"(?i)vpvms"),"ESX Host",1==1,"None") </CODE></PRE> <P>This is better for two reasons: Field names should NOT have spaces in them, it can be done, just not recommended. And the "1==1" is your always true statement, so you can filter out those that don't match later on. I have tested this on a different pattern, and it worked.</P> Wed, 20 May 2015 21:17:27 GMT https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118625#M31692 alacercogitatus 2015-05-20T21:17:27Z https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118626#M31693 <P>That is not even a valid command. Please revise.</P> Wed, 20 May 2015 21:18:13 GMT https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118626#M31693 alacercogitatus 2015-05-20T21:18:13Z https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118627#M31694 <P>Sorry, skip the <CODE>eval</CODE>!</P> Wed, 20 May 2015 21:21:18 GMT https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118627#M31694 woodcock 2015-05-20T21:21:18Z https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118628#M31695 <P>It will be better to give exact answer if you provide 1 or 2 lines of logs.</P> <P>Thanks</P> Wed, 20 May 2015 21:52:42 GMT https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118628#M31695 regexcracker 2015-05-20T21:52:42Z https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118629#M31696 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/3514">@alacercogitatus</a> I tried your statement with no luck, I have provided a table of the data below. Those CI Names with vpvms I would like to have ESX show up in the Physical_Host_Type</P> <P>CI Name Physical_Host_Type<BR /> ordcwpdbsaasc1b None<BR /> ordcvzvms01f None<BR /> ordcvpvms02c None<BR /> ordcvzvms01d None<BR /> nadcvpvms03a None</P> <P>I appreciate the help</P> Mon, 28 Sep 2020 19:59:58 GMT https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118629#M31696 jhayIV 2020-09-28T19:59:58Z https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118630#M31697 <P>Based on your table there, is your field actually called <CODE>Name</CODE> or is it actually <CODE>'CI Name'</CODE> ?</P> Thu, 21 May 2015 04:31:24 GMT https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118630#M31697 acharlieh 2015-05-21T04:31:24Z https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118631#M31698 <P>@acharlieh Field Name is 'Name' Sorry about that</P> Thu, 21 May 2015 18:59:35 GMT https://community.splunk.com/t5/Splunk-Search/Regex-If-Statement-Help/m-p/118631#M31698 jhayIV 2015-05-21T18:59:35Z