Splunk Search

How can I include a wildcard character in eval command?

Contributor

I have the following search:

eval "tt"=case(transporttype="sip","Sip",................)

I can't figure out how do i include wildcard character behind and infront of sip. I have the following information in my data:
video sip
video_sip
sip_audio

I just want to count everything that has the word "sip" in there. How could i do this is eval command?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You are looking for the match() function or the like() function.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/ConditionalFunctions

match() uses regular expressions, like() uses a SQL-like syntax

| eval "tt"=case(match(transporttype,"(?i)sip"),"Sip",        ................)
| eval "tt"=case(like(transporttype,"%sip%"),"Sip",        ................)

updated to close both function parens as per @jkat54's suggestion, and make match expression case-insensitive and unanchored as per @woodcock's suggestion.

I make mistakes at least once a day, just to keep in practice.

View solution in original post

SplunkTrust
SplunkTrust

You are looking for the match() function or the like() function.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/ConditionalFunctions

match() uses regular expressions, like() uses a SQL-like syntax

| eval "tt"=case(match(transporttype,"(?i)sip"),"Sip",        ................)
| eval "tt"=case(like(transporttype,"%sip%"),"Sip",        ................)

updated to close both function parens as per @jkat54's suggestion, and make match expression case-insensitive and unanchored as per @woodcock's suggestion.

I make mistakes at least once a day, just to keep in practice.

View solution in original post

Esteemed Legend

Splunk RegEx is always unanchored by default so this is better (and case insensitive):

| eval tt=case(match(transporttype, "(?i)sip"), "Sip", ........, true(), "OOPS!")
0 Karma

SplunkTrust
SplunkTrust

"I make mistakes at least once a day, just to keep in practice"

Ha ha!

Esteemed Legend

Some people think that I am really clever but actually I am EXTENSIVELY Ex-dumb. They look the same from the outside, if you ignore the scars.

SplunkTrust
SplunkTrust

@woodcock- yes, experience is a wonderful thing, isn't it? It enables you to quickly recognize a mistake when you make it again.

0 Karma

SplunkTrust
SplunkTrust

Close those match perenthisis @daljeanis

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!