Splunk Search

How do we use wildcard such as * in eval case match to see multiple types of files?

sai_john
New Member

I was trying to give all the 6 types of files which are under fileName field and trying to get all the filetypes including * under FileType field. but with the below search i am not able to pull all 6types of files under FileType field.

Trying this search:
index=* | eval FileType=case(match(fileName,"ABC01.GIF*"),"ABC01.GIF*" , match(fileName,"ABC02.DCL*.GIF*"),"ABC02.DCL*.GIF*", match(fileName,"ABC03.IFG_DCL*.GIF*"),"ABC03.IFG_DCL*.GIF*", match(fileName,"ABC04.FGH_HCL*.DAT*"),"ABC04.FGH_HCL*.DAT*", match(fileName,"ABC05.FGH_OUT*.DAT*"), "ABC05.FGH_OUT*.DAT*", match(fileName,"ABC06.GHI_OUT_DAILY*.DAT*"), "ABC06.GHI_OUT_DAILY*.DAT*") | stats count by FileType

Please advise to get all types of files under FileType field.

Thanks!

0 Karma
1 Solution

somesoni2
Revered Legend

The match function in eval doesn't treat asterisk * as wildcard character but as regular expression. So the match fails. Try this

index= | eval FileType=case(match(fileName,"ABC01.GIF"),"ABC01.GIF*" , match(fileName,"ABC02.DCL.*.GIF.*"),"ABC02.DCL*.GIF*", match(fileName,"ABC03.IFG_DCL.*.GIF.*"),"ABC03.IFG_DCL*.GIF*", match(fileName,"ABC04.FGH_HCL.*.DAT.*"),"ABC04.FGH_HCL*.DAT*", match(fileName,"ABC05.FGH_OUT.*.DAT.*"), "ABC05.FGH_OUT*.DAT*", match(fileName,"ABC06.GHI_OUT_DAILY.*.DAT.*"), "ABC06.GHI_OUT_DAILY*.DAT*") | stats count by FileType

View solution in original post

somesoni2
Revered Legend

The match function in eval doesn't treat asterisk * as wildcard character but as regular expression. So the match fails. Try this

index= | eval FileType=case(match(fileName,"ABC01.GIF"),"ABC01.GIF*" , match(fileName,"ABC02.DCL.*.GIF.*"),"ABC02.DCL*.GIF*", match(fileName,"ABC03.IFG_DCL.*.GIF.*"),"ABC03.IFG_DCL*.GIF*", match(fileName,"ABC04.FGH_HCL.*.DAT.*"),"ABC04.FGH_HCL*.DAT*", match(fileName,"ABC05.FGH_OUT.*.DAT.*"), "ABC05.FGH_OUT*.DAT*", match(fileName,"ABC06.GHI_OUT_DAILY.*.DAT.*"), "ABC06.GHI_OUT_DAILY*.DAT*") | stats count by FileType

sai_john
New Member

This worked. Thanks soni

0 Karma

sai_john
New Member

I tried giving .. in between fileNames as you said but that is not working

0 Karma

somesoni2
Revered Legend

Can you post some sample values of field fileName, especially the ones which are failing?

0 Karma

sai_john
New Member

My result values under FileType should be
FileType
"ABC01.GIF*"
"ABC02.DCL*.GIF*"
"ABC03.IFG_DCL*.GIF*"
"ABC04.FGH_HCL*.DAT*"
"ABC05.FGH_OUT*.DAT*"
"ABC06.GHI_OUT_DAILY*.DAT*"

0 Karma

sbbadri
Motivator

try this

\*

or

| rex mode=sed "/*/ash/" | rest of the query instead of \* use ash

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @sai_john, if somesoni2's solution worked then please don't forget to accept their answer to award karma points and close the question. 🙂

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...