Solved: Escaping Underscore inside "like"

bruceclarke · ‎09-12-2014

All,

I'm trying to write a search that does something like the following:

[some search] | eval option=case(like(field,"%_Blah"), field, 1=1, "Other")

So, I want to return anything that ends with "_Blah". The problem is that I also have a value that is "_OtherBlah" which is being matched. I'm assuming I need to do something to escape the underscore, but I can't seem to find how to do it. A backslash or putting the underscore in brackets won't work.

Can someone help?

Thanks!

lguinn2 · ‎09-12-2014

I would do it like this:

yoursearchhere
| eval option=if(match(field,"_Blah$"),field,"Other")

This uses a regular expression for the test. I also think that the if function is a little easier to read than case in this example.

View solution in original post

lguinn2 · ‎09-12-2014

I would do it like this:

yoursearchhere
| eval option=if(match(field,"_Blah$"),field,"Other")

This uses a regular expression for the test. I also think that the if function is a little easier to read than case in this example.

bruceclarke · ‎09-12-2014

Works great! Thank you!

Escaping Underscore inside "like"

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?