Splunk Search

How to run a search only if the format of the passed in ticket number is valid?

hmdoan
Explorer

I've been struggling with how to use 'if' via eval to determine whether or not to run a search.

We only want to run a search if the passed in ticket number is in a valid format - e.g., IM123456, IM234567, etc.

Here is my failing code:

| dbquery Netcool "select node, ticketnumber, summary from reporter_status where ticketnumber='$ticket_token$'" | eval ticketed = if(match($ticket_token$,"^IM.*"),1,0) | where ticketed > 0

I know the search works alone. It's the 'if' statement screwing things up.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Wildcards are different in the match function. Try match($ticket_token$, "IM%").

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...