Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Escaping a forward slash / in conditional statement

mstark31
Path Finder
‎10-10-2017 12:16 PM

I have a conditional statement (part of an eval case) in which I need to check for the value of a field. The desired value contains a forward slash ( /).
| eval Bool = case(Reason=="Thing1 / Thing2", 0, ... 1=1, 1). This statement will evaluate to Bool = 1.

I've tried to escape it with a back slash ( /), but that didn't work.
| eval Bool = case(Reason=="Thing1 \/ Thing2", 0, ... 1=1, 1). This still evaluates to Bool = 1.

I can technically use a like statement, which is how I know the / is causing the issue.
| eval Bool = case(Reason like "Thing1 % Thing2", 0, ... 1=1, 1). This evaluates to Bool = 0.
| eval Bool = case(Reason like "Thing1%Thing2", 0, ... 1=1, 1). This evaluates to Bool = 0. (The only difference is no spaces around the % character.)

Is there a solution that will let me use an exact match search vs. the like statement?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-10-2017 12:28 PM

You should not need to escape anything other than a double quote within a string. Are you sure your Reason field contains exactly the string value you are evaluating in your case statement (extra spaces, tab characters, etc.)?
I have no issues with proper evaluation, if the string matches.

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution

sbbadri
Motivator
‎10-10-2017 12:28 PM

@mstark31

check this,

| makeresults | eval test="Thing1 / Thing2" | eval test1 = case(test=="Thing1 / Thing2","One",test!="Thing1 / Thing2","Two") | eval test2 = case(test="Thing1 \/ Thing2","one",test!="Thing1 \/ Thing2","TWO")

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-10-2017 12:28 PM

You should not need to escape anything other than a double quote within a string. Are you sure your Reason field contains exactly the string value you are evaluating in your case statement (extra spaces, tab characters, etc.)?
I have no issues with proper evaluation, if the string matches.

Preview file
1 KB
Reply
Solved! Jump to solution

mstark31
Path Finder
‎10-10-2017 01:39 PM

Thank you for helping with my debugging process. Despite the fact that I was copying and pasting the value for Reason from my data table, there was another space in there causing the problem. I went back to our original database that is sending to Splunk and found the space.

I feel silly, but at least I was able to rule out the need to escape the forward /.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-10-2017 01:46 PM

He/She who has never overlooked a space throw the first rock! 😉
Glad you got it figured out; and thanks for closing the loop by providing (re)solution and accepting answer!

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-10-2017 12:26 PM

Hi mstark31,

What version are you on? Because this works just fine on 6.6.3 using this search:

| makeresults 
| eval Reason="Thing1 / Thing2" 
| eval Bool = case(Reason=="Thing1 / Thing2", 0, 1=1, 1) 
| eval Bool2 = case(Reason=="Thing2 / Thing2", 0, 1=1, 1)

alt text

cheers, MuS

Preview file
1 KB
Reply
Solved! Jump to solution

mstark31
Path Finder
‎10-10-2017 01:29 PM

I am in 6.6.2.

I tried your search, and it does exactly what yours does (basically, works).

I had to abstract things for the search I shared in my question, but my original search still doesn't function properly. I am in the process of making sure I'm not missing anything else.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...