@namritha, the match() will look for the string anywhere in the field. As long as the text (ApplicationA, database etc) exists in the value of the field Error_description match will find it. Having said that, match uses a regex to find the match. So, match(Error_description, "database") is NOT the same as match(Error_description, "Database"). Same with application. Regex is case sensitive. Also, adding * would mean 0-n occurrences, which is not needed. As long as the regex is correct match will find it anywhere in the string. If you need help with the regex, share some actual samples of Error_description values.

Thankyou sundareshr.

My requirement is slightly different, maybe I wasn't very clear. The events are like these,

Error_Description:
value 1 = Contains the term ApplicationA caused error while hitting the database
value 2 = Contains the term ApplicationA error
value 3 = Contains the term Database error

i.e. we may have other values like className, methodName or even random strings before and after 'ApplicationA caused an error while hitting the database'. The eval needs to check if the Error_description CONTAINS the terms.

Will adding * before and after ApplicationA help then? I have modified the query below.

| eval Error_Type=case(match(Error_description, "*ApplicationA*") AND match(Error_description, "*Database*", "Application/DB error or both", match(Error_description, "*Database*") AND NOT match(Error_description, "*ApplicationA*", ""purely DB error", 1=1, "UNK")