Splunk Search

How to run a search only if the format of the passed in ticket number is valid?

Explorer

I've been struggling with how to use 'if' via eval to determine whether or not to run a search.

We only want to run a search if the passed in ticket number is in a valid format - e.g., IM123456, IM234567, etc.

Here is my failing code:

| dbquery Netcool "select node, ticketnumber, summary from reporter_status where ticketnumber='$ticket_token$'" | eval ticketed = if(match($ticket_token$,"^IM.*"),1,0) | where ticketed > 0

I know the search works alone. It's the 'if' statement screwing things up.

0 Karma

SplunkTrust
SplunkTrust

Wildcards are different in the match function. Try match($ticket_token$, "IM%").

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!