Archive

Escaping a forward slash / in conditional statement

Path Finder

I have a conditional statement (part of an eval case) in which I need to check for the value of a field. The desired value contains a forward slash ( /).
| eval Bool = case(Reason=="Thing1 / Thing2", 0, ... 1=1, 1). This statement will evaluate to Bool = 1.

I've tried to escape it with a back slash ( /), but that didn't work.
| eval Bool = case(Reason=="Thing1 \/ Thing2", 0, ... 1=1, 1). This still evaluates to Bool = 1.

I can technically use a like statement, which is how I know the / is causing the issue.
| eval Bool = case(Reason like "Thing1 % Thing2", 0, ... 1=1, 1). This evaluates to Bool = 0.
| eval Bool = case(Reason like "Thing1%Thing2", 0, ... 1=1, 1). This evaluates to Bool = 0. (The only difference is no spaces around the % character.)

Is there a solution that will let me use an exact match search vs. the like statement?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

You should not need to escape anything other than a double quote within a string. Are you sure your Reason field contains exactly the string value you are evaluating in your case statement (extra spaces, tab characters, etc.)?
I have no issues with proper evaluation, if the string matches.

View solution in original post

Motivator

@mstark31

check this,

| makeresults | eval test="Thing1 / Thing2" | eval test1 = case(test=="Thing1 / Thing2","One",test!="Thing1 / Thing2","Two") | eval test2 = case(test="Thing1 \/ Thing2","one",test!="Thing1 \/ Thing2","TWO")

0 Karma

Splunk Employee
Splunk Employee

You should not need to escape anything other than a double quote within a string. Are you sure your Reason field contains exactly the string value you are evaluating in your case statement (extra spaces, tab characters, etc.)?
I have no issues with proper evaluation, if the string matches.

View solution in original post

Path Finder

Thank you for helping with my debugging process. Despite the fact that I was copying and pasting the value for Reason from my data table, there was another space in there causing the problem. I went back to our original database that is sending to Splunk and found the space.

I feel silly, but at least I was able to rule out the need to escape the forward /.

0 Karma

Splunk Employee
Splunk Employee

He/She who has never overlooked a space throw the first rock! 😉
Glad you got it figured out; and thanks for closing the loop by providing (re)solution and accepting answer!

0 Karma

SplunkTrust
SplunkTrust

Hi mstark31,

What version are you on? Because this works just fine on 6.6.3 using this search:

| makeresults 
| eval Reason="Thing1 / Thing2" 
| eval Bool = case(Reason=="Thing1 / Thing2", 0, 1=1, 1) 
| eval Bool2 = case(Reason=="Thing2 / Thing2", 0, 1=1, 1)

alt text

cheers, MuS

Path Finder

I am in 6.6.2.

I tried your search, and it does exactly what yours does (basically, works).

I had to abstract things for the search I shared in my question, but my original search still doesn't function properly. I am in the process of making sure I'm not missing anything else.

0 Karma