Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with eval and wildcards

a212830
Champion
‎07-26-2019 06:55 AM

Hi,

I'm trying to use eval for hosts, and need to use wildcards. I tried the following, but it's not working. How does eval handle wildcards?

index=main sourcetype=sensor_info 
| eval IDSGROUP = case(match(host==az*, "Tuscon RIG", host==bos*, "Boston RIG", host==tx*, "DFW RIG", host==ca*, "LAX RIG"))
| timechart avg(pkt_drop_percent) by host
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-26-2019 07:06 AM

Hi @a212830,
try to use like instead match

index=main sourcetype=sensor_info 
| eval IDSGROUP = case(like(host,"az%"), "Tuscon RIG", like(host,"bos%"), "Boston RIG", like(host,"tx%"), "DFW RIG", like(host,"ca%"), "LAX RIG")
| timechart avg(pkt_drop_percent) by host

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

twinspop
Influencer
‎07-28-2019 08:00 PM

First you need to have your pattern wrapped in quotes.

Two, you need to use match() properly.

Then you need to fix your regex.

You probably want something like case(match(host,”az.*”),”Tuscon”,match(host,”bos.*”),”Boston”) for a shortened example

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-26-2019 07:06 AM

Hi @a212830,
try to use like instead match

index=main sourcetype=sensor_info 
| eval IDSGROUP = case(like(host,"az%"), "Tuscon RIG", like(host,"bos%"), "Boston RIG", like(host,"tx%"), "DFW RIG", like(host,"ca%"), "LAX RIG")
| timechart avg(pkt_drop_percent) by host

Bye.
Giuseppe

Reply
Solved! Jump to solution

a212830
Champion
‎07-26-2019 08:39 AM

Thanks! !!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-27-2019 07:52 AM

You're welcome!
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...