Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk eval if with wildcard

sboogaar
Path Finder
‎01-31-2019 05:41 AM

Im trying to set a boolean based on a match in a string.
I want to set a value to 1 if it does not match ingestion* and set it to 0 if it does match.
The following example shows the problem:

index="balblableaw" 
| append 
    [| makeresults 
    | eval app_name ="ingestion_something"] 
| append 
    [| makeresults 
    | eval app_name ="should-match-only"] 
| eval not_contains_ingestion = if(app_name!="ingestion*",1,0) 
| table app_name, not_contains_ingestion

The expected result was that should-match-only would be 1 and the ingestion_something would be 0

alt text

Tags (2)
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-31-2019 05:45 AM

@sboogaar,

Use match

index="balblableaw" 
 | append 
     [| makeresults 
     | eval app_name ="ingestion_something"] 
 | append 
     [| makeresults 
     | eval app_name ="should-match-only"] 
 | eval not_contains_ingestion = if(match(app_name,"ingestion"),0,1) 
 | table app_name, not_contains_ingestion
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-31-2019 05:47 AM

Try this:

index="balblableaw" 
 | append 
     [| makeresults 
     | eval app_name ="ingestion_something"] 
 | append 
     [| makeresults 
     | eval app_name ="should-match-only"] 
 | eval not_contains_ingestion = if(app_name like "ingestion%" ,1,0) 
 | table app_name, not_contains_ingestion
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-31-2019 05:45 AM

@sboogaar,

Use match

index="balblableaw" 
 | append 
     [| makeresults 
     | eval app_name ="ingestion_something"] 
 | append 
     [| makeresults 
     | eval app_name ="should-match-only"] 
 | eval not_contains_ingestion = if(match(app_name,"ingestion"),0,1) 
 | table app_name, not_contains_ingestion
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

sboogaar
Path Finder
‎02-01-2019 04:30 AM

Thanks for the answer, can you explain why my own example was not working. I try to understand the disabilities from splunk.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎02-02-2019 05:00 AM

In eval it doesn't treat * as wildcard but as literal

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...