Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Having Trouble With CASE
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is what I am using:
| eval siteName = case (Destination_IP == "199.47.*", dropbox.com)
I have tried everything and it is not working. Do you think it is because of the numbers "199.47.*"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval siteName = case(match(Destination_IP, "^199\.47\..*$"), "dropbox.com")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval siteName = case(match(Destination_IP,"^199\.47\..*”), "dropbox.com", match(Destination_IP,“^85\.17\.30\..*"), "megadownload.net", match(Destination_IP,"^195\.122\.131\..*"), "rapidshare.com")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the real answer. thanks this fixed the issue. you are a regex guru. thanks again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval siteName = case(match(Destination_IP, "^199\.47\..*$"), "dropbox.com")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see now, / characters where removed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK I think I understand well not relay
So if I want to use case to get a variable named siteName and I have three possible sites identified by three possible IP’s I would normally use this
'| eval siteName = case (Destination_IP == "199.47.”, dropbox.com, Destination_IP == “85.17.30.", megadownload.net, Destination_IP == "195.122.131.*", rapidshare.com)'
But this isn’t working and the multiple matches are not working. Do you have any other suggestions for CASE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the second argument of match function is a regex and "^199.47..$" in you example is not equal with "^199.47..*$" as I had suggested
http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Opps the match doesn't seem to work in case
'| eval siteName = case(match(Destination_IP, "^199.47..$"), "dropbox.com",match(Destination_IP, "^85.17.30.$"), "megadownload.net",match(Destination_IP, "^195.122.131.*$"), "rapidshare.com")'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HURA you are brilliant thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
