Splunk Search

Like function not working with where condition?

chetanN
Loves-to-Learn Lots

Hi all,

I am trying to run a basic search where I am trying to print table based on where and like() condition. But its not working. Following is a query. It is always showing 0 results.

index="traindetails" sourcetype=*
| eval trainNumber="1114"
| eval train2 = A_BCD_1114_EFG
| where like(train2,"%$trainNumber$%")
| table trainNumber,train2

I also tried following but no luck.

| where like(train2,"%"+$trainNumber$+"%")



can someone please help?

Thanks

Labels (4)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @chetanN ,

Like is a function usable only in eval command, not in where:

index="traindetails" sourcetype=*
| eval trainNumber="1114"
| eval train2 = A_BCD_1114_EFG
| search train2="*$trainNumber$*"
| table trainNumber,train2

Ciao.

Giuseppe

0 Karma

chetanN
Loves-to-Learn Lots

Thanks for taking the time. But it did not work for me.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The official docs seem to disagree with you on this 😉

https://docs.splunk.com/Documentation/SCS/current/SearchReference/ConditionalFunctions#like.28.26lt....

@chetanNI'm not sure what the logic of your search should be. If you expect the $trainNumber$ string to work as a token name to be replaced with the trainNumber field value - it won't work that way.

 

chetanN
Loves-to-Learn Lots

Hi,

I am trying to execute the rest of the statement (in this case table command), only when my parent string contains the substring. The reason I am using variables enclosed in $, is that in real-time, the values are not fixed and will be changed as per the indexed records.

Now if I replace the where command in my query with the following then it works. But again the question is how do I make this like command along with where command to accept a variable instead of a hardcoded value like "%1114%".

| where like (train2, "%1114%")

Thanks,

Chetan

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. I understand that you're trying to filter the results in your pipeline before passing them down to further commands. But I don't quite get why you firstly set the field to some constant value (for all events at that time, mind you!) and then try to use that field's value (not a variable, there is no such concept in Splunk generally speaking).

Try to describe your problem. Not what you're trying to do, but what you whant to achieve. I mean what is the relation between input and output.

You probably could render the value of your field to a string and use it in the "where" comparison but the question is what is this value, where does it come from and how it ended here.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...