Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk eval if with wildcard

sboogaar
Path Finder
‎01-31-2019 05:41 AM

Im trying to set a boolean based on a match in a string.
I want to set a value to 1 if it does not match ingestion* and set it to 0 if it does match.
The following example shows the problem:

index="balblableaw" 
| append 
    [| makeresults 
    | eval app_name ="ingestion_something"] 
| append 
    [| makeresults 
    | eval app_name ="should-match-only"] 
| eval not_contains_ingestion = if(app_name!="ingestion*",1,0) 
| table app_name, not_contains_ingestion

The expected result was that should-match-only would be 1 and the ingestion_something would be 0

alt text

Tags (2)
ingestion-match.png
Preview file
38 KB
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-31-2019 05:45 AM

@sboogaar,

Use match

index="balblableaw" 
 | append 
     [| makeresults 
     | eval app_name ="ingestion_something"] 
 | append 
     [| makeresults 
     | eval app_name ="should-match-only"] 
 | eval not_contains_ingestion = if(match(app_name,"ingestion"),0,1) 
 | table app_name, not_contains_ingestion
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-31-2019 05:47 AM

Try this:

index="balblableaw" 
 | append 
     [| makeresults 
     | eval app_name ="ingestion_something"] 
 | append 
     [| makeresults 
     | eval app_name ="should-match-only"] 
 | eval not_contains_ingestion = if(app_name like "ingestion%" ,1,0) 
 | table app_name, not_contains_ingestion
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-31-2019 05:45 AM

@sboogaar,

Use match

index="balblableaw" 
 | append 
     [| makeresults 
     | eval app_name ="ingestion_something"] 
 | append 
     [| makeresults 
     | eval app_name ="should-match-only"] 
 | eval not_contains_ingestion = if(match(app_name,"ingestion"),0,1) 
 | table app_name, not_contains_ingestion
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

sboogaar
Path Finder
‎02-01-2019 04:30 AM

Thanks for the answer, can you explain why my own example was not working. I try to understand the disabilities from splunk.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎02-02-2019 05:00 AM

In eval it doesn't treat * as wildcard but as literal

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top