https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300652#M90526 <P>"I make mistakes at least once a day, just to keep in practice"</P> <P>Ha ha!</P> Fri, 25 Aug 2017 16:11:33 GMT jkat54 2017-08-25T16:11:33Z https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300648#M90522 <P>I have the following search:</P> <P>eval "tt"=case(transporttype="sip","Sip",................)</P> <P>I can't figure out how do i include wildcard character behind and infront of sip. I have the following information in my data:<BR /> video sip<BR /> video_sip<BR /> sip_audio</P> <P>I just want to count everything that has the word "sip" in there. How could i do this is eval command?</P> Tue, 29 Sep 2020 15:30:16 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300648#M90522 tamduong16 2020-09-29T15:30:16Z https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300649#M90523 <P>You are looking for the <CODE>match()</CODE> function or the <CODE>like()</CODE> function.</P> <P><A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/ConditionalFunctions">https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/ConditionalFunctions</A></P> <P><CODE>match()</CODE> uses regular expressions, <CODE>like()</CODE> uses a SQL-like syntax</P> <PRE><CODE>| eval "tt"=case(match(transporttype,"(?i)sip"),"Sip", ................) | eval "tt"=case(like(transporttype,"%sip%"),"Sip", ................) </CODE></PRE> <HR /> <P>updated to close both function parens as per @jkat54's suggestion, and make match expression case-insensitive and unanchored as per @woodcock's suggestion.</P> <P>I make mistakes at least once a day, just to keep in practice.</P> Thu, 24 Aug 2017 21:33:48 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300649#M90523 DalJeanis 2017-08-24T21:33:48Z https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300650#M90524 <P>Close those match perenthisis @daljeanis</P> Thu, 24 Aug 2017 22:56:58 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300650#M90524 jkat54 2017-08-24T22:56:58Z https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300651#M90525 <P>Splunk RegEx is always unanchored by default so this is better (and case insensitive):</P> <PRE><CODE>| eval tt=case(match(transporttype, "(?i)sip"), "Sip", ........, true(), "OOPS!") </CODE></PRE> Fri, 25 Aug 2017 02:05:52 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300651#M90525 woodcock 2017-08-25T02:05:52Z https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300652#M90526 <P>"I make mistakes at least once a day, just to keep in practice"</P> <P>Ha ha!</P> Fri, 25 Aug 2017 16:11:33 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300652#M90526 jkat54 2017-08-25T16:11:33Z https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300653#M90527 <P>Some people think that I am really clever but actually I am EXTENSIVELY Ex-dumb. They look the same from the outside, if you ignore the scars.</P> Fri, 25 Aug 2017 17:32:55 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300653#M90527 woodcock 2017-08-25T17:32:55Z https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300654#M90528 <P>@woodcock- yes, experience is a wonderful thing, isn't it? It enables you to quickly recognize a mistake when you make it again.</P> Fri, 25 Aug 2017 22:22:52 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-include-a-wildcard-character-in-eval-command/m-p/300654#M90528 DalJeanis 2017-08-25T22:22:52Z