Solved: Can I do string search inside case() func?

kausar · ‎12-22-2016

I have multiple queries for same index and therefore trying to avoid subsearches. Looking for right syntax, trying to do something like:

index=abc sourcetype=xyz | eval w=case("keyword1", "k1", "keyword2" OR "keyword3", "k23", "keyword3" AND "keyword4", "k34")

OR

index=abc sourcetype=xyz | eval w=case(_raw == "*keyword1*", "k1", _raw==("*keyword2*" OR "keyword3"), "k23", _raw=="*keyword3*" AND "*keyword4*", "k34")

Though, I can use multiple subsearches and append the results but it doesn't seem to be very efficient.

lguinn2 · ‎12-22-2016

Neither of your eval functions have the proper syntax. I expect that you want

index=abc sourcetype=xyz 
| eval w=case( match(_raw,"keyword1"), "k1",
               match(_raw,"keyword2") OR match(_raw,"keyword3"), "k23",
               match(_raw,"keyword3") AND match(_raw,"keyword4"), "k34")

Here is the syntax for the match and case functions: Evaluation Functions

View solution in original post

lguinn2 · ‎12-22-2016

Neither of your eval functions have the proper syntax. I expect that you want

index=abc sourcetype=xyz 
| eval w=case( match(_raw,"keyword1"), "k1",
               match(_raw,"keyword2") OR match(_raw,"keyword3"), "k23",
               match(_raw,"keyword3") AND match(_raw,"keyword4"), "k34")

Here is the syntax for the match and case functions: Evaluation Functions

Can I do string search inside case() func?

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?

Can I do string search inside case() func?

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle