Splunk Search

Easy way to match just the beginning of a field value

jravida
Communicator

Hi Folks,

I'm having a hard time working around using a wildcard within an eval, which isn't possible as far as I know.

Say I have these field values:
Bought an orange
Bought a banana
Bought a cantelope
Sold a monkey
Sold an elephant
Bought a lion

I want to count, simply, how many times "Bought" show up, and how many times "Sold" show up, so I can chart them.

Eval statements prevent wildcards, so I can't think of what to use. Is there a simple method of doing this?

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Eval does except wildcard ('%') for the function 'like'. Try below expression

your base search | stats count(eval(like(yourfield,"Bought %"))) BoughtCount count(eval(like(yourfield,"Sold %"))) SoldCount

View solution in original post

the_wolverine
Champion
Bought OR Sold | rex "(?<transaction>Bought|Sold[^ ]+)" | timechart span=1h count by transaction
0 Karma

somesoni2
Revered Legend

Eval does except wildcard ('%') for the function 'like'. Try below expression

your base search | stats count(eval(like(yourfield,"Bought %"))) BoughtCount count(eval(like(yourfield,"Sold %"))) SoldCount
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...