Solved: Re: Match using OR statement

rlautman · ‎07-25-2013

In in my host field I have several different addresses, 4 of these addresses are from Location1 and the rest are from Location2. I have constructed the below query to look for the matching addresses within the host fields and assign Location1 to those that match. I can't seem to look for the addresses I want to find in one match statement and the results from the query below, although correct, are a bit messy. Is is possible to use an OR statement within a match or is there another way of going about this?

index=serverapps | eval Loc=if((match(host,"12.34.56.78*")),"Location1","Location2") | eval Loc1=if((match(host,"12.345.67.*")),"Location1","Location2") | stats count by host,Loc,Loc1

reed_kelly · ‎07-25-2013

Match uses PCRE, so you have to escape "." as 1\.2\.3\.4, and you can use the | character as an OR operation:

match(host, "1\.2\.3\.4|5\.6\.7\.8")

View solution in original post

reed_kelly · ‎07-25-2013

Match uses PCRE, so you have to escape "." as 1\.2\.3\.4, and you can use the | character as an OR operation:

match(host, "1\.2\.3\.4|5\.6\.7\.8")

rlautman · ‎07-26-2013

This has worked a treat, thanks

linu1988 · ‎07-25-2013

why not use a lookup, that will be easy and will be reliable with more results coming in future. You can also use CASE for this as well.

Match using OR statement

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation