Splunk Search

How to modify my search to make my field value case INSENSITIVE in an IF statement with a WILDCARD?

saimaday2
Engager

Hi,
I want the "test" field to return a value of 1 for all events with the word "lookup" regardless of case.

index=idm-prdidx  "Intuit.consumer.mintiusgrant.grantjob"
| eval test=if(like(api,"*lookup*"),1,0)
| table api test
0 Karma
1 Solution

sundareshr
Legend

Try this

 index=idm-prdidx  "Intuit.consumer.mintiusgrant.grantjob"
 | eval test=if(match(api,"(?i)lookup"),1,0)
 | table api test

View solution in original post

sundareshr
Legend

Try this

 index=idm-prdidx  "Intuit.consumer.mintiusgrant.grantjob"
 | eval test=if(match(api,"(?i)lookup"),1,0)
 | table api test

View solution in original post

saimaday2
Engager

Additionally if I wanted to have the wildcard only at the end of the word and still ignore case sensitivity, how I would I do that?

lookup*

Thanks!

0 Karma

saimaday2
Engager

That works! Thanks!!

0 Karma