Solved: Escaping Underscore inside "like"

bruceclarke · ‎09-12-2014

All,

I'm trying to write a search that does something like the following:

[some search] | eval option=case(like(field,"%_Blah"), field, 1=1, "Other")

So, I want to return anything that ends with "_Blah". The problem is that I also have a value that is "_OtherBlah" which is being matched. I'm assuming I need to do something to escape the underscore, but I can't seem to find how to do it. A backslash or putting the underscore in brackets won't work.

Can someone help?

Thanks!

lguinn2 · ‎09-12-2014

I would do it like this:

yoursearchhere
| eval option=if(match(field,"_Blah$"),field,"Other")

This uses a regular expression for the test. I also think that the if function is a little easier to read than case in this example.

View solution in original post

lguinn2 · ‎09-12-2014

I would do it like this:

yoursearchhere
| eval option=if(match(field,"_Blah$"),field,"Other")

This uses a regular expression for the test. I also think that the if function is a little easier to read than case in this example.

bruceclarke · ‎09-12-2014

Works great! Thank you!

Escaping Underscore inside "like"

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

Escaping Underscore inside "like"

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!