Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Like function not working with where condition?

chetanN
Loves-to-Learn Lots
‎12-26-2022 10:27 PM

Hi all,

I am trying to run a basic search where I am trying to print table based on where and like() condition. But its not working. Following is a query. It is always showing 0 results.

index="traindetails" sourcetype=*
| eval trainNumber="1114"
| eval train2 = A_BCD_1114_EFG
| where like(train2,"%$trainNumber$%")
| table trainNumber,train2

I also tried following but no luck.

| where like(train2,"%"+$trainNumber$+"%")



can someone please help?

Thanks

Labels (4)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-26-2022 11:45 PM

Hi @chetanN ,

Like is a function usable only in eval command, not in where:

index="traindetails" sourcetype=*
| eval trainNumber="1114"
| eval train2 = A_BCD_1114_EFG
| search train2="*$trainNumber$*"
| table trainNumber,train2

Ciao.

Giuseppe

0 Karma
Reply

chetanN
Loves-to-Learn Lots
‎12-27-2022 08:25 AM

Thanks for taking the time. But it did not work for me.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-27-2022 01:09 AM

The official docs seem to disagree with you on this 😉

https://docs.splunk.com/Documentation/SCS/current/SearchReference/ConditionalFunctions#like.28.26lt....

@chetanNI'm not sure what the logic of your search should be. If you expect the $trainNumber$ string to work as a token name to be replaced with the trainNumber field value - it won't work that way.

 

Reply

chetanN
Loves-to-Learn Lots
‎12-27-2022 08:16 AM

Hi,

I am trying to execute the rest of the statement (in this case table command), only when my parent string contains the substring. The reason I am using variables enclosed in $, is that in real-time, the values are not fixed and will be changed as per the indexed records.

Now if I replace the where command in my query with the following then it works. But again the question is how do I make this like command along with where command to accept a variable instead of a hardcoded value like "%1114%".

| where like (train2, "%1114%")

Thanks,

Chetan

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-27-2022 09:58 AM

OK. I understand that you're trying to filter the results in your pipeline before passing them down to further commands. But I don't quite get why you firstly set the field to some constant value (for all events at that time, mind you!) and then try to use that field's value (not a variable, there is no such concept in Splunk generally speaking).

Try to describe your problem. Not what you're trying to do, but what you whant to achieve. I mean what is the relation between input and output.

You probably could render the value of your field to a string and use it in the "where" comparison but the question is what is this value, where does it come from and how it ended here.

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...