Splunk Search
Highlighted

How do I use an eval command with a case function with regex to separate the blank vs any character?

Communicator

hi,

I have a field PORTDESC with the values as:
"somethings sdsa Device:XYZ PORT: 1.2.3 BackPort: 4.5.6 some other text"
"somethings Othertext Device: PORT: BackPort: some other text"
Now I need to define a Port
Flag separating these values as:

eval Port_Flag= case(like(PORT_DESC,"%PORT:  BackPort:%"), "Flag_NO",like(PORT_DESC,"%PORT: 1.2.3 BackPort:%"),"Flag_YES",1=1,"Other")

However, the Port value can be anything such as 1.2.3 or CRMT or vw3d.

How can I separate these values where either no Port value is given or some value is assigned? Any regular expression will also be a great help, which can define

PORT:[Anything 0-9 or A-Z or a-z $%&/()]  BackPort:

Thanks in advance.

0 Karma
Highlighted

Re: How do I use an eval command with a case function with regex to separate the blank vs any character?

SplunkTrust
SplunkTrust

Instead of using like in your case statement, use match. The match function accepts regular expressions. For example,

eval Port_Flag= case(match(PORT_DESC,"PORT: BackPort:.*"), "Flag_NO", match(PORT_DESC,"PORT: .*? BackPort:.*"), "Flag_YES",1=1,"Other")

---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: How do I use an eval command with a case function with regex to separate the blank vs any character?

Communicator

Thanks for the info. However, .*? take everything. How can I remove not 1 but any number fo space characters there?

0 Karma
Highlighted

Re: How do I use an eval command with a case function with regex to separate the blank vs any character?

Motivator

Try: PORT: [^ ]+ BackPort:

0 Karma
Highlighted

Re: How do I use an eval command with a case function with regex to separate the blank vs any character?

SplunkTrust
SplunkTrust

.*? is non-greedy and should stop at " BackPort". \S+ is an alterative (perhaps a better one).

---
If this reply helps you, an upvote would be appreciated.
0 Karma