Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

LIKE() with wildcard within an IF statement

Tisiphone_1
Explorer
‎08-12-2010 11:09 PM

Can anybody tell me why this LIKE statement using a wildcard errors out within an IF statement in a form search, but not in the standard search box?

Here's the whole form search:

   <searchTemplate>
   index=test
   [stats count | eval search=(

           if("$VAR$"=="empty"," "," | where like(field,%$VAR$%) ")

   ) 

   | fields - count ]
   </searchTemplate>

The part that never works is the LIKE statement % (the search wildcard):

| where like(field,%$VAR$%)

I have tried using ASCII instead of symbol %, and quotes in different places. The error I receive is: "Error in 'eval' command: Typechecking failed. '%' only takes numbers."

However, in standard search,:

| where like(field,%stuff%)

works just fine.

FYI: I am using 4.0.11 - it appears LIKE may function differently than newer versions.

Tags (1)
0 Karma
Reply

kartik13
Communicator
‎06-23-2016 08:47 PM

I know its too late to reply but not too late to contribute.
I am working on same kind of thing here my query which worked for me .

|where like(label,"%"+"$Token_Name$"+"%") OR like(label,"%"+"$Token_Name_part$"+"%")

Reply

rey123
Path Finder
‎07-03-2019 10:01 AM

The above syntax of including "%" in a separate set of quotes from the token, did not work for me. After a lot of trial and error, what worked was this, ie., encapsulating the "%" within the SAME SET of quotes as the token:

| where like(label,"%$Token_Name$%")

Reply

jetie
Explorer
‎01-03-2014 06:13 AM

oiResult=failure | where like(oiErrorString, "%5 - invalid truck number DSN%")

Works for me with version 6.0

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎08-19-2010 08:45 AM

If you paste this search into the Summary view of search, does it seem to land in the flash timeline intact?

0 Karma
Reply

Tisiphone_1
Explorer
‎08-13-2010 08:42 PM

I'm letting a user put a string into a search box, and if the search box is not empty I am searching for things that contain that string.

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-13-2010 03:34 PM

Eval and where require that the pattern for a LIKE expression be a string literal. Your syntax should be | where like(field,"%stuff%"). I think that it's working in some of the cases because the UI is injecting quotes (where they don't necessarily belong).

Reply

Tisiphone_1
Explorer
‎08-13-2010 08:43 PM

I have tried both " and ". Both produce an error.

0 Karma
Reply

Johnvey
Contributor
‎08-13-2010 05:37 AM

Can you clarify what the output of the search should be? It appears that you're trying to generate SQL-like search syntax within the search language -- there probably is a simpler way to achieve what you want.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top