Dashboards & Visualizations

How to find square bracket in eval

tamalunp
Explorer

I need to find whether the string

["foobar"]

exists in a log message.  I have a search query like

some stuff
| eval hasFoobar = case(_raw LIKE "%\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table message, hasFoobar 

which gives YESes as expected.

If I add a square bracket, whether escaped or not, I only get NOes.  E.g.,

some stuff
| eval hasFoobar = case(_raw LIKE "%[\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table message, hasFoobar 
some stuff
| eval hasFoobar = case(_raw LIKE "%\[\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table message, hasFoobar 

 

Any advice?

 

Labels (1)
0 Karma

livehybrid
Super Champion

Hi @tamalunp 

You could try with searchmatch maybe?

| eval isFoo=if(searchmatch("[\"foo\"]"),"yes","no")

livehybrid_0-1747204704335.png

 

Full example:

|windbag | head 1 | eval _raw="This is a test message [\"foo\"] bar"
| eval isFoo=if(searchmatch("[\"foo\"]"),"yes","no")
| table _raw isFoo

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

tamalunp
Explorer

This seemed like the solution at first, but there's a little quirk.

foo
| eval hasFoo = if (searchmatch("\"foo\"]"), "YES", "NO")
| table _raw hasFoo

In the case where _raw is like 

... ["foo", "bar"] ...

hasFoo evaluates to "YES".  

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

So this example shows that the LIKE works with the [

| makeresults
| eval _raw="bla bla [\"foobar\"] bla bla"
| eval hasFoobar = case(_raw LIKE "%[\"foobar%", "Y")
| eval hasFoobar = if(hasFoobar = "Y", "YES", "NO")
| table _raw, hasFoobar 

so there may be something odd with your data. Your example shows table message, not _raw. Can you provide an example of _raw

0 Karma

tamalunp
Explorer

_raw is like

... \"products\": [\"foo\", \"bar\"], ...
0 Karma

isoutamo
SplunkTrust
SplunkTrust

The easiest way to see _raw is open event and select from “event actions” sho source.

isoutamo_0-1747196649710.png
then you see if there is e.g. some escape characters like \u0022 => “

 

0 Karma
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...