I have a conditional statement (part of an eval case) in which I need to check for the value of a field. The desired value contains a forward slash (
| eval Bool = case(Reason=="Thing1 / Thing2", 0, ... 1=1, 1). This statement will evaluate to
Bool = 1.
I've tried to escape it with a back slash (
/), but that didn't work.
| eval Bool = case(Reason=="Thing1 \/ Thing2", 0, ... 1=1, 1). This still evaluates to
Bool = 1.
I can technically use a
like statement, which is how I know the
/ is causing the issue.
| eval Bool = case(Reason like "Thing1 % Thing2", 0, ... 1=1, 1). This evaluates to
Bool = 0.
| eval Bool = case(Reason like "Thing1%Thing2", 0, ... 1=1, 1). This evaluates to
Bool = 0. (The only difference is no spaces around the
Is there a solution that will let me use an exact match search vs. the like statement?
| makeresults | eval test="Thing1 / Thing2" | eval test1 = case(test=="Thing1 / Thing2","One",test!="Thing1 / Thing2","Two") | eval test2 = case(test="Thing1 \/ Thing2","one",test!="Thing1 \/ Thing2","TWO")
Thank you for helping with my debugging process. Despite the fact that I was copying and pasting the value for Reason from my data table, there was another space in there causing the problem. I went back to our original database that is sending to Splunk and found the space.
I feel silly, but at least I was able to rule out the need to escape the forward /.
He/She who has never overlooked a space throw the first rock! 😉
Glad you got it figured out; and thanks for closing the loop by providing (re)solution and accepting answer!
I am in 6.6.2.
I tried your search, and it does exactly what yours does (basically, works).
I had to abstract things for the search I shared in my question, but my original search still doesn't function properly. I am in the process of making sure I'm not missing anything else.