Im trying to set a boolean based on a match in a string.
I want to set a value to 1 if it does not match ingestion* and set it to 0 if it does match.
The following example shows the problem:
index="balblableaw"
| append
[| makeresults
| eval app_name ="ingestion_something"]
| append
[| makeresults
| eval app_name ="should-match-only"]
| eval not_contains_ingestion = if(app_name!="ingestion*",1,0)
| table app_name, not_contains_ingestion
The expected result was that should-match-only would be 1 and the ingestion_something would be 0
@sboogaar,
Use match
index="balblableaw"
| append
[| makeresults
| eval app_name ="ingestion_something"]
| append
[| makeresults
| eval app_name ="should-match-only"]
| eval not_contains_ingestion = if(match(app_name,"ingestion"),0,1)
| table app_name, not_contains_ingestion
Try this:
index="balblableaw"
| append
[| makeresults
| eval app_name ="ingestion_something"]
| append
[| makeresults
| eval app_name ="should-match-only"]
| eval not_contains_ingestion = if(app_name like "ingestion%" ,1,0)
| table app_name, not_contains_ingestion
@sboogaar,
Use match
index="balblableaw"
| append
[| makeresults
| eval app_name ="ingestion_something"]
| append
[| makeresults
| eval app_name ="should-match-only"]
| eval not_contains_ingestion = if(match(app_name,"ingestion"),0,1)
| table app_name, not_contains_ingestion
Thanks for the answer, can you explain why my own example was not working. I try to understand the disabilities from splunk.
In eval it doesn't treat * as wildcard but as literal