Solved: How to use a wildcard in an eval function?

kiran331 · ‎09-14-2016

Hi

From the search, I get the field file_path. I have to differentiate the events based on the file path.
file_path= file:_C:\users........ and file=file:_D:\......., how to write eval function to differentiate this?

Search I'm using :

index=abc|eval title=if(file LIKE "C:\", "Normal", "USB or External Media")

sundareshr · ‎09-14-2016

Try using match()

index=abc | eval title=if(match(x, "C:\\\\"), "Normal", "USB")

View solution in original post

somesoni2 · ‎09-14-2016

With you can use either LIKE function or match function to do regular exp based matching (and wild carding).

index=abc|eval title=if(like(file_path"C:\%"), "Normal", "USB or External Media")

index=abc|eval title=if(match(file_path,"^C:"), "Normal", "USB or External Media")

sundareshr · ‎09-14-2016

Try using match()

index=abc | eval title=if(match(x, "C:\\\\"), "Normal", "USB")

How to use a wildcard in an eval function?

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility

Are you a member of the Splunk Community?

How to use a wildcard in an eval function?

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility