Solved: How to use a wildcard in an eval function?

kiran331 · ‎09-14-2016

Hi

From the search, I get the field file_path. I have to differentiate the events based on the file path.
file_path= file:_C:\users........ and file=file:_D:\......., how to write eval function to differentiate this?

Search I'm using :

index=abc|eval title=if(file LIKE "C:\", "Normal", "USB or External Media")

sundareshr · ‎09-14-2016

Try using match()

index=abc | eval title=if(match(x, "C:\\\\"), "Normal", "USB")

View solution in original post

somesoni2 · ‎09-14-2016

With you can use either LIKE function or match function to do regular exp based matching (and wild carding).

index=abc|eval title=if(like(file_path"C:\%"), "Normal", "USB or External Media")

index=abc|eval title=if(match(file_path,"^C:"), "Normal", "USB or External Media")

sundareshr · ‎09-14-2016

Try using match()

index=abc | eval title=if(match(x, "C:\\\\"), "Normal", "USB")

How to use a wildcard in an eval function?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

How to use a wildcard in an eval function?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!