https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31079#M6400 <P>It did work. Thank you very much!</P> Fri, 10 Aug 2012 15:21:44 GMT gnovak 2012-08-10T15:21:44Z https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31077#M6398 <P>I have a search that uses some wildcards:</P> <PRE><CODE>sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT | rex field=_raw "USER (?P&lt;registrar&gt;\[\d+-\w\w\]) downloading .*/(?&lt;filename&gt;.+?)$" | search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf | eval Actual=case(filename="Statement.pdf","Billing Statement", filename="Invoice.pdf","Billing Invoice", filename="text.txt","Billing Text", filename="*-*.pdf","Scorecard", filename="*-*_invoice.html","Drilldown Invoice") </CODE></PRE> <P>You'll notice at the end of my eval command I used wildcards for the filenames. However, when I run this search the 2 filenames I identified in the eval command that are using wildcards will NOT show up in the Actual field. They show up as events and I can clearly see a line from the logs containing these filenames, but they aren't being assigned the filename I specified in the eval command.</P> <P>Does eval not like wildcards???</P> Thu, 09 Aug 2012 21:25:19 GMT https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31077#M6398 gnovak 2012-08-09T21:25:19Z https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31078#M6399 <P>No, eval does not like wildcards. And you should also be using == instead of = in your case statement. Try the match function to deal with wildcards explicitly - but remember that match uses regular expressions.</P> <PRE><CODE>sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT | rex field=_raw "USER (?P&lt;registrar&gt;\[\d+-\w\w\]) downloading .*/(?&lt;filename&gt;.+?)$" | search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf | eval Actual=case(filename=="Statement.pdf","Billing Statement", filename=="Invoice.pdf","Billing Invoice", filename=="text.txt","Billing Text", match(filename,".*-.*\.pdf$"),"Scorecard", match(filename,".*-.*_invoice\.html$"),"Drilldown Invoice") </CODE></PRE> <P>This may work. Please comment if it doesn't!</P> Thu, 09 Aug 2012 22:04:51 GMT https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31078#M6399 lguinn2 2012-08-09T22:04:51Z https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31079#M6400 <P>It did work. Thank you very much!</P> Fri, 10 Aug 2012 15:21:44 GMT https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31079#M6400 gnovak 2012-08-10T15:21:44Z https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31080#M6401 <P>Hi, sorry for downvote misclick. I look at it again and match function is very useful.</P> Tue, 14 Jul 2015 20:14:20 GMT https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31080#M6401 psciegienny 2015-07-14T20:14:20Z https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31081#M6402 <P>Worked for me as well, thank you!</P> Thu, 22 Sep 2016 21:13:23 GMT https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31081#M6402 rfiscus 2016-09-22T21:13:23Z https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31082#M6403 <P>worked!!<BR /> Thanks. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 20 Oct 2017 04:45:11 GMT https://community.splunk.com/t5/Splunk-Search/eval-wildcards/m-p/31082#M6403 smitra_splunk 2017-10-20T04:45:11Z