Solved: Help using eval case statement using wildcards

johnward4 · ‎05-17-2019

I'm trying to create a new field for category based off values in my existing 'message' field.

index=network sourcetype=test
| eval category = case (like(message,"*port scan detected*"), "Network_Port_Scan", like(message,"Gateway Anti-Virus Alert*"), like(message,"*Possible TCP Flood*")), "Network_Threat_Activity", like(message,"*packet dropped*" like(message,"*connection dropped*" like(message,"*protocol dropped*"))), "Network_Wire_Activity")

Does anyone know how I accomplish this?

woodcock · ‎05-17-2019

Asterisks are wild only for search and base searches. For eval and where, they are string literals so you MUST use something else like, like() or match().

View solution in original post

woodcock · ‎05-17-2019

Asterisks are wild only for search and base searches. For eval and where, they are string literals so you MUST use something else like, like() or match().

johnward4 · ‎05-17-2019

@woodcock can I using OR operators inside a given like() statement?

example :

| eval category = case (like(message,"%port scan detected%"), "Network_Port_Scan", like(message,"%Gateway Anti-Virus Alert%" OR "%TCP Flood%"), "Network_Threat_Activity")

woodcock · ‎05-17-2019

No but you can like() OR like() and you can use SQL boolean syntax or use match(message, "foo|bar|bat").

Help using eval case statement using wildcards

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation