How do I use an eval command with a case function ...

Chandras11 · ‎11-30-2018

hi,

I have a field PORT_DESC with the values as:
"somethings sdsa Device:XYZ PORT: 1.2.3 BackPort: 4.5.6 some other text"
"somethings Othertext Device: PORT: BackPort: some other text"
Now I need to define a Port_Flag separating these values as:

eval Port_Flag= case(like(PORT_DESC,"%PORT:  BackPort:%"), "Flag_NO",like(PORT_DESC,"%PORT: 1.2.3 BackPort:%"),"Flag_YES",1=1,"Other")

However, the Port value can be anything such as 1.2.3 or CRMT or vw3d.

How can I separate these values where either no Port value is given or some value is assigned? Any regular expression will also be a great help, which can define

PORT:[Anything 0-9 or A-Z or a-z $%&/()]  BackPort:

Thanks in advance.

richgalloway · ‎11-30-2018

Instead of using like in your case statement, use match. The match function accepts regular expressions. For example,

eval Port_Flag= case(match(PORT_DESC,"PORT: BackPort:.*"), "Flag_NO", match(PORT_DESC,"PORT: .*? BackPort:.*"), "Flag_YES",1=1,"Other")

---
If this reply helps you, Karma would be appreciated.

Chandras11 · ‎11-30-2018

Thanks for the info. However, .*? take everything. How can I remove not 1 but any number fo space characters there?

richgalloway · ‎11-30-2018

.*? is non-greedy and should stop at " BackPort". \S+ is an alterative (perhaps a better one).

---
If this reply helps you, Karma would be appreciated.

whrg · ‎11-30-2018

Try: PORT: [^ ]+ BackPort:

How do I use an eval command with a case function with regex to separate the blank vs any character?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation