topic How to use NOT in an IF condition? in Splunk Search

How to use NOT in an IF condition?

prakashbhanu407 — Thu, 14 Apr 2016 20:37:28 GMT

I have 2 files: Account and Account.TXT. I have to get only the "Account" file details. I tried:

if(  (like(filename,"Account%") AND NOT like(filename,"Account%.txt%")  ),filename,"X")

but it is returning both file types.

What is the mistake here?

Re: How to use NOT in an IF condition?

sundareshr — Thu, 14 Apr 2016 20:52:51 GMT

Why not just use .. | if(filename="Account", x, y) and skip the wildcard altogether?

Re: How to use NOT in an IF condition?

prakashbhanu407 — Fri, 15 Apr 2016 04:19:40 GMT

actually i have 2 sets of files X and Y,
X has about 10 different types of files including "AccountyyyyMMdd.hhmmss"(no extension)
Y has another 8 files types including "AccountyyyyMMdd.hhmmss.TXT"

So for the "X" type of files I have multiple "like()" functions in the if() condition, it should only retrieve data for "Account" file but it is also picking up for "Account.TXT" which should be of type "Y"
like below
if(
(like() like () ..... (like(filename,"Account%") AND NOT like(filename,"Account%.txt%")) ),"X" ,
if( (like() like()...like(filename,"Account%.txt%"),"Y","Other")
)
)

Re: How to use NOT in an IF condition?

sundareshr — Fri, 15 Apr 2016 16:14:22 GMT

Try the match() with regex . Something like this should work

.... | eval x=case(match(filename, "Account\d+\.\d+$", "no extn", filename="\.(txt|TXT)$", "with extn", 1=1, "no match")

Re: How to use NOT in an IF condition?

woodcock — Tue, 26 Apr 2016 13:46:28 GMT

Like this:

... | eval test = if((like(filename, "Account") AND NOT like(filename, "Account%.txt")), filename," X")

Your problem is the wildcard character %, most of which you do not need.