Solved: How to use a wildcard in an eval function?

kiran331 · ‎09-14-2016

Hi

From the search, I get the field file_path. I have to differentiate the events based on the file path.
file_path= file:_C:\users........ and file=file:_D:\......., how to write eval function to differentiate this?

Search I'm using :

index=abc|eval title=if(file LIKE "C:\", "Normal", "USB or External Media")

sundareshr · ‎09-14-2016

Try using match()

index=abc | eval title=if(match(x, "C:\\\\"), "Normal", "USB")

View solution in original post

somesoni2 · ‎09-14-2016

With you can use either LIKE function or match function to do regular exp based matching (and wild carding).

index=abc|eval title=if(like(file_path"C:\%"), "Normal", "USB or External Media")

index=abc|eval title=if(match(file_path,"^C:"), "Normal", "USB or External Media")

sundareshr · ‎09-14-2016

Try using match()

index=abc | eval title=if(match(x, "C:\\\\"), "Normal", "USB")

How to use a wildcard in an eval function?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to use a wildcard in an eval function?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...