Splunk Search

Like function not working with where condition?

chetanN
Loves-to-Learn Lots

Hi all,

I am trying to run a basic search where I am trying to print table based on where and like() condition. But its not working. Following is a query. It is always showing 0 results.

index="traindetails" sourcetype=*
| eval trainNumber="1114"
| eval train2 = A_BCD_1114_EFG
| where like(train2,"%$trainNumber$%")
| table trainNumber,train2

I also tried following but no luck.

| where like(train2,"%"+$trainNumber$+"%")



can someone please help?

Thanks

Labels (4)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @chetanN ,

Like is a function usable only in eval command, not in where:

index="traindetails" sourcetype=*
| eval trainNumber="1114"
| eval train2 = A_BCD_1114_EFG
| search train2="*$trainNumber$*"
| table trainNumber,train2

Ciao.

Giuseppe

0 Karma

chetanN
Loves-to-Learn Lots

Thanks for taking the time. But it did not work for me.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The official docs seem to disagree with you on this 😉

https://docs.splunk.com/Documentation/SCS/current/SearchReference/ConditionalFunctions#like.28.26lt....

@chetanNI'm not sure what the logic of your search should be. If you expect the $trainNumber$ string to work as a token name to be replaced with the trainNumber field value - it won't work that way.

 

chetanN
Loves-to-Learn Lots

Hi,

I am trying to execute the rest of the statement (in this case table command), only when my parent string contains the substring. The reason I am using variables enclosed in $, is that in real-time, the values are not fixed and will be changed as per the indexed records.

Now if I replace the where command in my query with the following then it works. But again the question is how do I make this like command along with where command to accept a variable instead of a hardcoded value like "%1114%".

| where like (train2, "%1114%")

Thanks,

Chetan

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. I understand that you're trying to filter the results in your pipeline before passing them down to further commands. But I don't quite get why you firstly set the field to some constant value (for all events at that time, mind you!) and then try to use that field's value (not a variable, there is no such concept in Splunk generally speaking).

Try to describe your problem. Not what you're trying to do, but what you whant to achieve. I mean what is the relation between input and output.

You probably could render the value of your field to a string and use it in the "where" comparison but the question is what is this value, where does it come from and how it ended here.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...