Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my eval case statement to exclude certain text from a field's value?

nivethainspire_
Explorer
‎11-07-2016 03:17 AM

My field has following value

summary="java running in chrome"

I need a search such that summary should have the word "java" and shouldn't have "chrome", "firefox".

My search is :

|eval Application = case(Summary like "%Java%"  NOT "%chrome%" NOT "%firefox%","Java",Summary like "%flash%","flash")

but it is not working. Can anyone guide me?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎11-07-2016 04:35 AM

NOT keyword in not supported for case statement, so use ! instead for performing not expression.

|eval Application = case(Summary like "%Java%" AND ! ( Summary like "%chrome%" OR Summary like "%firefox%"),"Java",Summary like "%flash%","flash")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-07-2016 07:35 AM

Try something like this

your current search
|eval Application = case(match(Summary,"Java") AND NOT (match(Summary,"chrome") OR match(Summary,"firefox")), "Java" ,match(Summary,"flash"),"flash", true(),"other")
0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎11-07-2016 04:35 AM

NOT keyword in not supported for case statement, so use ! instead for performing not expression.

|eval Application = case(Summary like "%Java%" AND ! ( Summary like "%chrome%" OR Summary like "%firefox%"),"Java",Summary like "%flash%","flash")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

nivethainspire_
Explorer
‎11-07-2016 05:24 AM

not working 😞
getting the following error.
Typechecking failed. 'OR' only takes boolean arguments.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-07-2016 06:48 AM

I have edited my answer as I was missing Summary like conditions in the not condition. Can you please retry the above and confirm?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...