Solved: Can I do string search inside case() func?

kausar · ‎12-22-2016

I have multiple queries for same index and therefore trying to avoid subsearches. Looking for right syntax, trying to do something like:

index=abc sourcetype=xyz | eval w=case("keyword1", "k1", "keyword2" OR "keyword3", "k23", "keyword3" AND "keyword4", "k34")

OR

index=abc sourcetype=xyz | eval w=case(_raw == "*keyword1*", "k1", _raw==("*keyword2*" OR "keyword3"), "k23", _raw=="*keyword3*" AND "*keyword4*", "k34")

Though, I can use multiple subsearches and append the results but it doesn't seem to be very efficient.

lguinn2 · ‎12-22-2016

Neither of your eval functions have the proper syntax. I expect that you want

index=abc sourcetype=xyz 
| eval w=case( match(_raw,"keyword1"), "k1",
               match(_raw,"keyword2") OR match(_raw,"keyword3"), "k23",
               match(_raw,"keyword3") AND match(_raw,"keyword4"), "k34")

Here is the syntax for the match and case functions: Evaluation Functions

View solution in original post

lguinn2 · ‎12-22-2016

Neither of your eval functions have the proper syntax. I expect that you want

index=abc sourcetype=xyz 
| eval w=case( match(_raw,"keyword1"), "k1",
               match(_raw,"keyword2") OR match(_raw,"keyword3"), "k23",
               match(_raw,"keyword3") AND match(_raw,"keyword4"), "k34")

Here is the syntax for the match and case functions: Evaluation Functions

Can I do string search inside case() func?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Can I do string search inside case() func?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...