Solved: Escaping a forward slash / in conditional statemen...

mstark31 · ‎10-10-2017

I have a conditional statement (part of an eval case) in which I need to check for the value of a field. The desired value contains a forward slash ( /).
| eval Bool = case(Reason=="Thing1 / Thing2", 0, ... 1=1, 1). This statement will evaluate to Bool = 1.

I've tried to escape it with a back slash ( /), but that didn't work.
| eval Bool = case(Reason=="Thing1 \/ Thing2", 0, ... 1=1, 1). This still evaluates to Bool = 1.

I can technically use a like statement, which is how I know the / is causing the issue.
| eval Bool = case(Reason like "Thing1 % Thing2", 0, ... 1=1, 1). This evaluates to Bool = 0.
| eval Bool = case(Reason like "Thing1%Thing2", 0, ... 1=1, 1). This evaluates to Bool = 0. (The only difference is no spaces around the % character.)

Is there a solution that will let me use an exact match search vs. the like statement?

s2_splunk · ‎10-10-2017

You should not need to escape anything other than a double quote within a string. Are you sure your Reason field contains exactly the string value you are evaluating in your case statement (extra spaces, tab characters, etc.)?
I have no issues with proper evaluation, if the string matches.

View solution in original post

sbbadri · ‎10-10-2017

@mstark31

check this,

| makeresults | eval test="Thing1 / Thing2" | eval test1 = case(test=="Thing1 / Thing2","One",test!="Thing1 / Thing2","Two") | eval test2 = case(test="Thing1 \/ Thing2","one",test!="Thing1 \/ Thing2","TWO")

s2_splunk · ‎10-10-2017

You should not need to escape anything other than a double quote within a string. Are you sure your Reason field contains exactly the string value you are evaluating in your case statement (extra spaces, tab characters, etc.)?
I have no issues with proper evaluation, if the string matches.

mstark31 · ‎10-10-2017

Thank you for helping with my debugging process. Despite the fact that I was copying and pasting the value for Reason from my data table, there was another space in there causing the problem. I went back to our original database that is sending to Splunk and found the space.

I feel silly, but at least I was able to rule out the need to escape the forward /.

s2_splunk · ‎10-10-2017

He/She who has never overlooked a space throw the first rock! 😉
Glad you got it figured out; and thanks for closing the loop by providing (re)solution and accepting answer!

MuS · ‎10-10-2017

Hi mstark31,

What version are you on? Because this works just fine on 6.6.3 using this search:

| makeresults 
| eval Reason="Thing1 / Thing2" 
| eval Bool = case(Reason=="Thing1 / Thing2", 0, 1=1, 1) 
| eval Bool2 = case(Reason=="Thing2 / Thing2", 0, 1=1, 1)

alt text

cheers, MuS

mstark31 · ‎10-10-2017

I am in 6.6.2.

I tried your search, and it does exactly what yours does (basically, works).

I had to abstract things for the search I shared in my question, but my original search still doesn't function properly. I am in the process of making sure I'm not missing anything else.

Escaping a forward slash / in conditional statement

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...