https://community.splunk.com/t5/Splunk-Search/Eval-and-if-commands-return-unexpected-result/m-p/272707#M82109 <P>Beautiful thing !!! it works -</P> <PRE><CODE>| eval tin_provider=if(like(source,"%part-m-00009%"),"XXXX","ccccc") </CODE></PRE> Mon, 04 Apr 2016 00:23:24 GMT ddrillic 2016-04-04T00:23:24Z https://community.splunk.com/t5/Splunk-Search/Eval-and-if-commands-return-unexpected-result/m-p/272704#M82106 <P>The question relates to <A href="https://answers.splunk.com/answers/387510/alternatives-to-using-join-command.html">https://answers.splunk.com/answers/387510/alternatives-to-using-join-command.html</A></P> <PRE><CODE>index=provider source="*part-m-00009*" </CODE></PRE> <P>returns events that belong to a scoop file which contains a part-m-00009 string in its name. </P> <PRE><CODE>(index=provider source="*part-m-00009*") | eval tin_provider=if(source="*part-m-00009*","XXXX","ccccc") </CODE></PRE> <P>returns ccccc for the tin_provider field.</P> <P>Does it make sense?</P> <P>I'm also trying -</P> <PRE><CODE>| eval tin_provider=if(source=="*part-m-00009*","XXXX","ccccc") </CODE></PRE> <P>Meaning, double equal with the same results, which is also weird. </P> Sun, 03 Apr 2016 21:14:45 GMT https://community.splunk.com/t5/Splunk-Search/Eval-and-if-commands-return-unexpected-result/m-p/272704#M82106 ddrillic 2016-04-03T21:14:45Z https://community.splunk.com/t5/Splunk-Search/Eval-and-if-commands-return-unexpected-result/m-p/272705#M82107 <P>hmm i wonder if the quotes around the source in your eval if is causing it to literally look for source containing asterisk...will test and let you know...</P> Sun, 03 Apr 2016 21:34:15 GMT https://community.splunk.com/t5/Splunk-Search/Eval-and-if-commands-return-unexpected-result/m-p/272705#M82107 mattymo 2016-04-03T21:34:15Z https://community.splunk.com/t5/Splunk-Search/Eval-and-if-commands-return-unexpected-result/m-p/272706#M82108 <P>The operator <CODE>=</CODE> has different meaning in the <CODE>search</CODE> command (wildcard matching) and the <CODE>eval</CODE> command (equality).</P> <P>To get wildcard matching in <CODE>eval</CODE>, you can use <CODE>match()</CODE> with regular expressions, <CODE>like()</CODE> with SQL-style wildcards, or <CODE>searchmatch()</CODE> to get asterisk wildcards like in the <CODE>search</CODE> command. Check out <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions</A> for more info.</P> Sun, 03 Apr 2016 21:47:50 GMT https://community.splunk.com/t5/Splunk-Search/Eval-and-if-commands-return-unexpected-result/m-p/272706#M82108 martin_mueller 2016-04-03T21:47:50Z https://community.splunk.com/t5/Splunk-Search/Eval-and-if-commands-return-unexpected-result/m-p/272707#M82109 <P>Beautiful thing !!! it works -</P> <PRE><CODE>| eval tin_provider=if(like(source,"%part-m-00009%"),"XXXX","ccccc") </CODE></PRE> Mon, 04 Apr 2016 00:23:24 GMT https://community.splunk.com/t5/Splunk-Search/Eval-and-if-commands-return-unexpected-result/m-p/272707#M82109 ddrillic 2016-04-04T00:23:24Z