https://community.splunk.com/t5/Splunk-Search/Assigning-a-variable-to-field-values-consolidated-by-wildcard/m-p/299535#M90253 <P>To use wildcards in <CODE>eval</CODE>, use the <CODE>match</CODE> or <CODE>like</CODE> function.</P> <PRE><CODE>... | eval dpInfo = if (match(url,"/api/v1/data/dataInfo/.*") | ... ... | eval dpInfo = if (like(url, "/api/v1/data/dataInfo/%") | ... </CODE></PRE> Fri, 31 Mar 2017 17:05:01 GMT richgalloway 2017-03-31T17:05:01Z https://community.splunk.com/t5/Splunk-Search/Assigning-a-variable-to-field-values-consolidated-by-wildcard/m-p/299534#M90252 <P>I'm trying to wrap my head around assigning a variable to field values that have been consolidated by wildcard. The specific field is a url which contains unique values, but can be consolidated by wildcard:</P> <P>/api/v1/data/dataInfo/5034542340/0031f24ea10c/867542388<BR /> /api/v1/data/dataInfo/6134191727/0031f24ea10c/1353781841<BR /> /api/v1/data/validate</P> <P>Each of these has statusCode, timestamp, etc fields associated. I am needing to do a count of how many times /api/v1/data/dataInfo/* had a 404 response, and how many times /api/v1/data/validate had a 404 response, ideally in a timechart. Without consolidating to a wildcard, I have hundreds of results, because the hash that I'm consolidating via wildcard is unique.</P> <P>I've tried the following, but it errors on "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '/api/v1/data/dataInfo/*)'." I take this to mean I can't use eval/if with a wildcard. </P> <PRE><CODE> index=data_index environment=Production clientName="DataTool" statusCode=404 | eval dpInfo = if(url=/api/v1/data/dataInfo/*) | eval validate = if(url=/api/v1/data/validate) | timechart count </CODE></PRE> <P>Any ideas would be very much appreciated!</P> Fri, 31 Mar 2017 16:41:32 GMT https://community.splunk.com/t5/Splunk-Search/Assigning-a-variable-to-field-values-consolidated-by-wildcard/m-p/299534#M90252 smutherbavaro 2017-03-31T16:41:32Z https://community.splunk.com/t5/Splunk-Search/Assigning-a-variable-to-field-values-consolidated-by-wildcard/m-p/299535#M90253 <P>To use wildcards in <CODE>eval</CODE>, use the <CODE>match</CODE> or <CODE>like</CODE> function.</P> <PRE><CODE>... | eval dpInfo = if (match(url,"/api/v1/data/dataInfo/.*") | ... ... | eval dpInfo = if (like(url, "/api/v1/data/dataInfo/%") | ... </CODE></PRE> Fri, 31 Mar 2017 17:05:01 GMT https://community.splunk.com/t5/Splunk-Search/Assigning-a-variable-to-field-values-consolidated-by-wildcard/m-p/299535#M90253 richgalloway 2017-03-31T17:05:01Z https://community.splunk.com/t5/Splunk-Search/Assigning-a-variable-to-field-values-consolidated-by-wildcard/m-p/299536#M90254 <P>Like this:</P> <PRE><CODE>index=data_index environment=Production clientName="DataTool" statusCode=404 | timechart count(eval(match(url, "^/api/v1/data/dataInfo/"))) AS dpinvo count(eval(match(url, "^/api/v1/data/validate$"))) AS validate </CODE></PRE> Fri, 31 Mar 2017 22:19:49 GMT https://community.splunk.com/t5/Splunk-Search/Assigning-a-variable-to-field-values-consolidated-by-wildcard/m-p/299536#M90254 woodcock 2017-03-31T22:19:49Z https://community.splunk.com/t5/Splunk-Search/Assigning-a-variable-to-field-values-consolidated-by-wildcard/m-p/299537#M90255 <P>Is it <CODE>*</CODE> or <CODE>.*</CODE> or <CODE>%</CODE> in the context of <CODE>match</CODE>?</P> Fri, 31 Mar 2017 22:49:10 GMT https://community.splunk.com/t5/Splunk-Search/Assigning-a-variable-to-field-values-consolidated-by-wildcard/m-p/299537#M90255 DalJeanis 2017-03-31T22:49:10Z https://community.splunk.com/t5/Splunk-Search/Assigning-a-variable-to-field-values-consolidated-by-wildcard/m-p/299538#M90256 <P>Good point; I should not have had the <CODE>*</CODE> there at all (I modified my answer). I could have put in <CODE>.*</CODE> but it would have been redundant for the need and waste effort for the RegEx parser. </P> Fri, 31 Mar 2017 23:30:35 GMT https://community.splunk.com/t5/Splunk-Search/Assigning-a-variable-to-field-values-consolidated-by-wildcard/m-p/299538#M90256 woodcock 2017-03-31T23:30:35Z