Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use wildcard in case like condition?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use wildcard in case like condition?
karthi2809
Builder
03-11-2024
03:42 AM
Hi Guys, Thanks in Advance. So i have case conditions to be match in my splunk query.below the message based on correlationID.I want to show JobType and status. In status i added case like to match the conditions with message field.For the all three environment the message would be same but the environment name only differe.I added all the three in case. So how can we use wildcard in the case statement or any other different solutions to shorten the query.
(message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur")
(message="onDemand Flow for concur Expense Report file with FileID Started") OR (message="Exchange Rates Scheduler process started") OR (message="Exchange Rates Process Completed. File successfully sent to Concur*") OR (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates Interface Run Report - Concur")|transaction correlationId| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.payload.TargetFileName as TargetFileName | eval JobType=case(like('message',"%onDemand Flow for concur Expense Report file with FileID Started%"), "OnDemand",like('message',"%Exchange Rates Scheduler process started%"),"Scheduled", true() , "Unknown") | eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS", like('message',"%TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur"%"),"SUCCESS",like('TracePoint',"%EXCEPTION%"),"ERROR")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-11-2024
06:11 AM
The case function does not support wildcards natively, but you can use them in like (as you have) or you can use the equivalent regular expression using match.
| eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS", match('message',"(TEST|DEV|PRD)\(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur"),"SUCCESS", like('TracePoint',"%EXCEPTION%"),"ERROR")
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthi2809
Builder
03-11-2024
08:35 AM
@richgalloway Its not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-11-2024
09:17 AM
"its not working" doesn't tell me what's wrong so it's hard to offer a fix. It's possible, however, the regex needs improvement. Please try my updated answer.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthi2809
Builder
03-12-2024
05:39 AM
As you mentioned match condition in case statement.let me share the query.If i use match i am not getting the Status field
index="mule" applicationName="api" environment=DEV timestamp (message="onDemand Flow for concur Expense Report file with FileID Started") OR (message="Exchange Rates Scheduler process started") OR (message="Exchange Rates Process Completed. File successfully sent to Concur*") OR (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates Interface Run Report - Concur")|transaction correlationId| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.payload.TargetFileName as TargetFileName
| eval JobType=case(like('message',"%onDemand Flow for concur Expense Report file with FileID Started%"),"OnDemand",like('message',"%Exchange Rates Scheduler process started%"),"Scheduled", true() , "Unknown")
| eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS",match('message',"%(TEST|DEV|PRD)(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS",like('TracePoint',"%EXCEPTION%"),"ERROR")
|eventstats min(Timestamp) AS Start_Time, max(Timestamp) AS End_Time by CorrelationId
| eval StartTime=round(strptime(Start_Time, "%Y-%m-%dT%H:%M:%S.%QZ"))
| eval EndTime=round(strptime(End_Time, "%Y-%m-%dT%H:%M:%S.%QZ"))
| eval ElapsedTimeInSecs=EndTime-StartTime
| eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S")
|rename Start_Time as Timestamp
| table Status JobType ElapsedTimeInSecs "Total Elapsed Time" Timestamp CorrelationId message TargetFileName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-12-2024
06:24 AM
The match function treats "%" as a literal character rather than as a wildcard. Instead, match uses regular expressions. Remove the "%" from the match string and you should get a status value.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!
Introducing the Splunk Community Dashboard Challenge!
Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...
Get the T-shirt to Prove You Survived Splunk University Bootcamp
As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...
Wondering How to Build Resiliency in the Cloud?
IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience, ...
