Splunk Search

Like function not working with where condition?

chetanN
Loves-to-Learn Lots

Hi all,

I am trying to run a basic search where I am trying to print table based on where and like() condition. But its not working. Following is a query. It is always showing 0 results.

index="traindetails" sourcetype=*
| eval trainNumber="1114"
| eval train2 = A_BCD_1114_EFG
| where like(train2,"%$trainNumber$%")
| table trainNumber,train2

I also tried following but no luck.

| where like(train2,"%"+$trainNumber$+"%")



can someone please help?

Thanks

Labels (4)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @chetanN ,

Like is a function usable only in eval command, not in where:

index="traindetails" sourcetype=*
| eval trainNumber="1114"
| eval train2 = A_BCD_1114_EFG
| search train2="*$trainNumber$*"
| table trainNumber,train2

Ciao.

Giuseppe

0 Karma

chetanN
Loves-to-Learn Lots

Thanks for taking the time. But it did not work for me.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The official docs seem to disagree with you on this 😉

https://docs.splunk.com/Documentation/SCS/current/SearchReference/ConditionalFunctions#like.28.26lt....

@chetanNI'm not sure what the logic of your search should be. If you expect the $trainNumber$ string to work as a token name to be replaced with the trainNumber field value - it won't work that way.

 

chetanN
Loves-to-Learn Lots

Hi,

I am trying to execute the rest of the statement (in this case table command), only when my parent string contains the substring. The reason I am using variables enclosed in $, is that in real-time, the values are not fixed and will be changed as per the indexed records.

Now if I replace the where command in my query with the following then it works. But again the question is how do I make this like command along with where command to accept a variable instead of a hardcoded value like "%1114%".

| where like (train2, "%1114%")

Thanks,

Chetan

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. I understand that you're trying to filter the results in your pipeline before passing them down to further commands. But I don't quite get why you firstly set the field to some constant value (for all events at that time, mind you!) and then try to use that field's value (not a variable, there is no such concept in Splunk generally speaking).

Try to describe your problem. Not what you're trying to do, but what you whant to achieve. I mean what is the relation between input and output.

You probably could render the value of your field to a string and use it in the "where" comparison but the question is what is this value, where does it come from and how it ended here.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...