Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

Can I do string search inside case() func?

kausar
Path Finder
‎12-22-2016 03:43 PM

I have multiple queries for same index and therefore trying to avoid subsearches. Looking for right syntax, trying to do something like: 

index=abc sourcetype=xyz | eval w=case("keyword1", "k1", "keyword2" OR "keyword3", "k23", "keyword3" AND "keyword4", "k34")

OR

index=abc sourcetype=xyz | eval w=case(_raw == "*keyword1*", "k1", _raw==("*keyword2*" OR "keyword3"), "k23", _raw=="*keyword3*" AND "*keyword4*", "k34")

Though, I can use multiple subsearches and append the results but it doesn't seem to be very efficient.

0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: Can I do string search inside case() func?

lguinn2
Legend
‎12-22-2016 10:09 PM

Neither of your eval functions have the proper syntax. I expect that you want

index=abc sourcetype=xyz 
| eval w=case( match(_raw,"keyword1"), "k1",
               match(_raw,"keyword2") OR match(_raw,"keyword3"), "k23",
               match(_raw,"keyword3") AND match(_raw,"keyword4"), "k34")

Here is the syntax for the match and case functions: Evaluation Functions

View solution in original post

Reply