Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Nesting functions in 'where' in 4.3

gmor
Explorer
‎01-11-2012 12:23 AM

Hi,

Very quick question that someone may be able to answer.

In a complex form search that we have, we use the 'where' function to filter the results. So that the data is case-insensitive, we use the 'lower' function.

In version 4.2.5, this syntax works fine:

where like(lower(Room),lower("%MB.1%"))

('Room' is a field in the search, the other data is user entered so can vary wildly)

In version 4.3, I get the error:

"Error in 'where' command: The arguments to the 'like' function are invalid."

Is this an error, or can we no longer nest functions?

Any advice or suggestions would be appreciated.

Thanks,

Graham.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-01-2015 02:25 PM

It works in v6 but why are you lowering your match string; why not just lower it yourself like this:

where like(lower(Room),"%mb.1%"))

Assuming that there actually is some valid reason for needing this (e.g. you are using a $token$ for the match string), switch from SQL-type like to RegEx-type match and use the ignorecase inline token like this:

where match(lower(Room),"(?i)MB.1"))
0 Karma
Reply

gmor
Explorer
‎06-02-2015 11:00 PM

Hi. Wow, this takes me back a few years...

Thanks for your answer.

Yes, the question did relate to the use of a $token$ in an Advanced XML View. Otherwise yes, I get that I could turn off Cap Lock and type the string in lowercase(!)

But thank you for the suggestion of using the match function. I hadn't come across it before and I think it will prove useful in a number of different situations.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2015 06:12 AM

I am mining older unanswered questions for karma so please accept my answer. I am glad it was at least educational, if it could not be useful.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...