Solved: Can I do string search inside case() func?

kausar · ‎12-22-2016

I have multiple queries for same index and therefore trying to avoid subsearches. Looking for right syntax, trying to do something like:

index=abc sourcetype=xyz | eval w=case("keyword1", "k1", "keyword2" OR "keyword3", "k23", "keyword3" AND "keyword4", "k34")

OR

index=abc sourcetype=xyz | eval w=case(_raw == "*keyword1*", "k1", _raw==("*keyword2*" OR "keyword3"), "k23", _raw=="*keyword3*" AND "*keyword4*", "k34")

Though, I can use multiple subsearches and append the results but it doesn't seem to be very efficient.

lguinn2 · ‎12-22-2016

Neither of your eval functions have the proper syntax. I expect that you want

index=abc sourcetype=xyz 
| eval w=case( match(_raw,"keyword1"), "k1",
               match(_raw,"keyword2") OR match(_raw,"keyword3"), "k23",
               match(_raw,"keyword3") AND match(_raw,"keyword4"), "k34")

Here is the syntax for the match and case functions: Evaluation Functions

View solution in original post

lguinn2 · ‎12-22-2016

Neither of your eval functions have the proper syntax. I expect that you want

index=abc sourcetype=xyz 
| eval w=case( match(_raw,"keyword1"), "k1",
               match(_raw,"keyword2") OR match(_raw,"keyword3"), "k23",
               match(_raw,"keyword3") AND match(_raw,"keyword4"), "k34")

Here is the syntax for the match and case functions: Evaluation Functions

Can I do string search inside case() func?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Can I do string search inside case() func?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!