Dashboards & Visualizations

How to find square bracket in eval

tamalunp
Explorer

I need to find whether the string

["foobar"]

exists in a log message.  I have a search query like

some stuff
| eval hasFoobar = case(_raw LIKE "%\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table message, hasFoobar 

which gives YESes as expected.

If I add a square bracket, whether escaped or not, I only get NOes.  E.g.,

some stuff
| eval hasFoobar = case(_raw LIKE "%[\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table message, hasFoobar 
some stuff
| eval hasFoobar = case(_raw LIKE "%\[\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table message, hasFoobar 

 

Any advice?

 

Labels (1)
0 Karma

livehybrid
Super Champion

Hi @tamalunp 

You could try with searchmatch maybe?

| eval isFoo=if(searchmatch("[\"foo\"]"),"yes","no")

livehybrid_0-1747204704335.png

 

Full example:

|windbag | head 1 | eval _raw="This is a test message [\"foo\"] bar"
| eval isFoo=if(searchmatch("[\"foo\"]"),"yes","no")
| table _raw isFoo

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

tamalunp
Explorer

This seemed like the solution at first, but there's a little quirk.

foo
| eval hasFoo = if (searchmatch("\"foo\"]"), "YES", "NO")
| table _raw hasFoo

In the case where _raw is like 

... ["foo", "bar"] ...

hasFoo evaluates to "YES".  

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

So this example shows that the LIKE works with the [

| makeresults
| eval _raw="bla bla [\"foobar\"] bla bla"
| eval hasFoobar = case(_raw LIKE "%[\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table _raw, hasFoobar 

so there may be something odd with your data. Your example shows table message, not _raw. Can you provide an example of _raw

0 Karma

tamalunp
Explorer

_raw is like

... \"products\": [\"foo\", \"bar\"], ...
0 Karma

isoutamo
SplunkTrust
SplunkTrust

The easiest way to see _raw is open event and select from “event actions” sho source.

isoutamo_0-1747196649710.png
then you see if there is e.g. some escape characters like \u0022 => “

 

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...