Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk eval if with wildcard

sboogaar
Path Finder
‎01-31-2019 05:41 AM

Im trying to set a boolean based on a match in a string.
I want to set a value to 1 if it does not match ingestion* and set it to 0 if it does match.
The following example shows the problem:

index="balblableaw" 
| append 
    [| makeresults 
    | eval app_name ="ingestion_something"] 
| append 
    [| makeresults 
    | eval app_name ="should-match-only"] 
| eval not_contains_ingestion = if(app_name!="ingestion*",1,0) 
| table app_name, not_contains_ingestion

The expected result was that should-match-only would be 1 and the ingestion_something would be 0

alt text

Tags (2)
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-31-2019 05:45 AM

@sboogaar,

Use match

index="balblableaw" 
 | append 
     [| makeresults 
     | eval app_name ="ingestion_something"] 
 | append 
     [| makeresults 
     | eval app_name ="should-match-only"] 
 | eval not_contains_ingestion = if(match(app_name,"ingestion"),0,1) 
 | table app_name, not_contains_ingestion
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-31-2019 05:47 AM

Try this:

index="balblableaw" 
 | append 
     [| makeresults 
     | eval app_name ="ingestion_something"] 
 | append 
     [| makeresults 
     | eval app_name ="should-match-only"] 
 | eval not_contains_ingestion = if(app_name like "ingestion%" ,1,0) 
 | table app_name, not_contains_ingestion
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-31-2019 05:45 AM

@sboogaar,

Use match

index="balblableaw" 
 | append 
     [| makeresults 
     | eval app_name ="ingestion_something"] 
 | append 
     [| makeresults 
     | eval app_name ="should-match-only"] 
 | eval not_contains_ingestion = if(match(app_name,"ingestion"),0,1) 
 | table app_name, not_contains_ingestion
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

sboogaar
Path Finder
‎02-01-2019 04:30 AM

Thanks for the answer, can you explain why my own example was not working. I try to understand the disabilities from splunk.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎02-02-2019 05:00 AM

In eval it doesn't treat * as wildcard but as literal

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...