Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my eval case statement to exclude cert...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nivethainspire_
Explorer
11-07-2016
03:17 AM
My field has following value
summary="java running in chrome"
I need a search such that summary should have the word "java" and shouldn't have "chrome", "firefox".
My search is :
|eval Application = case(Summary like "%Java%" NOT "%chrome%" NOT "%firefox%","Java",Summary like "%flash%","flash")
but it is not working. Can anyone guide me?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
11-07-2016
04:35 AM
NOT keyword in not supported for case statement, so use ! instead for performing not expression.
|eval Application = case(Summary like "%Java%" AND ! ( Summary like "%chrome%" OR Summary like "%firefox%"),"Java",Summary like "%flash%","flash")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-07-2016
07:35 AM
Try something like this
your current search
|eval Application = case(match(Summary,"Java") AND NOT (match(Summary,"chrome") OR match(Summary,"firefox")), "Java" ,match(Summary,"flash"),"flash", true(),"other")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
11-07-2016
04:35 AM
NOT keyword in not supported for case statement, so use ! instead for performing not expression.
|eval Application = case(Summary like "%Java%" AND ! ( Summary like "%chrome%" OR Summary like "%firefox%"),"Java",Summary like "%flash%","flash")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nivethainspire_
Explorer
11-07-2016
05:24 AM
not working 😞
getting the following error.
Typechecking failed. 'OR' only takes boolean arguments.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
11-07-2016
06:48 AM
I have edited my answer as I was missing Summary like conditions in the not condition. Can you please retry the above and confirm?
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!
Developer Spotlight with William Searle
The Splunk Guy: A Developer’s Path from Web to Cloud
William is a Splunk Professional Services Consultant with ...
Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!
Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...
Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
