Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Like function not working with where condition?

chetanN
Loves-to-Learn Lots
‎12-26-2022 10:27 PM

Hi all,

I am trying to run a basic search where I am trying to print table based on where and like() condition. But its not working. Following is a query. It is always showing 0 results.

index="traindetails" sourcetype=*
| eval trainNumber="1114"
| eval train2 = A_BCD_1114_EFG
| where like(train2,"%$trainNumber$%")
| table trainNumber,train2

I also tried following but no luck.

| where like(train2,"%"+$trainNumber$+"%")



can someone please help?

Thanks

Labels (4)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-26-2022 11:45 PM

Hi @chetanN ,

Like is a function usable only in eval command, not in where:

index="traindetails" sourcetype=*
| eval trainNumber="1114"
| eval train2 = A_BCD_1114_EFG
| search train2="*$trainNumber$*"
| table trainNumber,train2

Ciao.

Giuseppe

0 Karma
Reply

chetanN
Loves-to-Learn Lots
‎12-27-2022 08:25 AM

Thanks for taking the time. But it did not work for me.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-27-2022 01:09 AM

The official docs seem to disagree with you on this 😉

https://docs.splunk.com/Documentation/SCS/current/SearchReference/ConditionalFunctions#like.28.26lt....

@chetanNI'm not sure what the logic of your search should be. If you expect the $trainNumber$ string to work as a token name to be replaced with the trainNumber field value - it won't work that way.

 

Reply

chetanN
Loves-to-Learn Lots
‎12-27-2022 08:16 AM

Hi,

I am trying to execute the rest of the statement (in this case table command), only when my parent string contains the substring. The reason I am using variables enclosed in $, is that in real-time, the values are not fixed and will be changed as per the indexed records.

Now if I replace the where command in my query with the following then it works. But again the question is how do I make this like command along with where command to accept a variable instead of a hardcoded value like "%1114%".

| where like (train2, "%1114%")

Thanks,

Chetan

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-27-2022 09:58 AM

OK. I understand that you're trying to filter the results in your pipeline before passing them down to further commands. But I don't quite get why you firstly set the field to some constant value (for all events at that time, mind you!) and then try to use that field's value (not a variable, there is no such concept in Splunk generally speaking).

Try to describe your problem. Not what you're trying to do, but what you whant to achieve. I mean what is the relation between input and output.

You probably could render the value of your field to a string and use it in the "where" comparison but the question is what is this value, where does it come from and how it ended here.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...