I need to find whether the string
["foobar"]
exists in a log message. I have a search query like
some stuff
| eval hasFoobar = case(_raw LIKE "%\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table message, hasFoobar
which gives YESes as expected.
If I add a square bracket, whether escaped or not, I only get NOes. E.g.,
some stuff
| eval hasFoobar = case(_raw LIKE "%[\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table message, hasFoobar
some stuff
| eval hasFoobar = case(_raw LIKE "%\[\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table message, hasFoobar
Any advice?
Hi @tamalunp
You could try with searchmatch maybe?
| eval isFoo=if(searchmatch("[\"foo\"]"),"yes","no")
Full example:
|windbag | head 1 | eval _raw="This is a test message [\"foo\"] bar"
| eval isFoo=if(searchmatch("[\"foo\"]"),"yes","no")
| table _raw isFoo
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
This seemed like the solution at first, but there's a little quirk.
foo
| eval hasFoo = if (searchmatch("\"foo\"]"), "YES", "NO")
| table _raw hasFoo
In the case where _raw is like
... ["foo", "bar"] ...
hasFoo evaluates to "YES".
So this example shows that the LIKE works with the [
| makeresults
| eval _raw="bla bla [\"foobar\"] bla bla"
| eval hasFoobar = case(_raw LIKE "%[\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table _raw, hasFoobar
so there may be something odd with your data. Your example shows table message, not _raw. Can you provide an example of _raw
_raw is like
... \"products\": [\"foo\", \"bar\"], ...
The easiest way to see _raw is open event and select from “event actions” sho source.
then you see if there is e.g. some escape characters like \u0022 => “