Solved: How to match a condition based on a regex in strin...

cindygibbs_08 · ‎07-07-2021

Hello Lovely people

I have a field that contains values contatenated by the "." character and the values of this fields may be something like this:

uhss.didhikd.8979.ODJD.73HJ.Uber.39383.7854
dhikd.8979.ODUber.JD.73HJ.39383.7854
undñ_opl.Uber.iolddld
ddidjd_iddd_lioft_yes

What I want is to detect is if the string has the characters ".Uber" that means a "." next to "Uber" if that is true I want the variableRIDE to be 1 if not I want that variable to be 0, I would really enjoy your help guys thank you so much.. so for the last example:

FIELD	RIDE
uhss.didhikd.8979.ODJD.73HJ.Uber.39383.7854	1
dhikd.8979.ODUber.JD.73HJ.39383.7854	1
undñ_opl.Uber.iolddld	1
ddidjd_iddd_lioft_yes	0

Thank you so much guys!

venkatasri · ‎07-07-2021

Hi @cindygibbs_08

Can you try this? I assumed your field_name as FIELD feel free to change

<your_search_goes_here> 
| eval RIDE=if(like(FIELD,"%.Uber%"), 1,0) 
| table FIELD RIDE

---

An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

venkatasri · ‎07-07-2021

Hi @cindygibbs_08

Can you try this? I assumed your field_name as FIELD feel free to change

<your_search_goes_here> 
| eval RIDE=if(like(FIELD,"%.Uber%"), 1,0) 
| table FIELD RIDE

---

An upvote would be appreciated and Accept Solution if it helps!

How to match a condition based on a regex in string

summary indexing

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?