Solved: Using Eval to Filter Values

jason_hotchkiss · ‎01-27-2022

Hello Splunkers -

I am trying to filter any value that is wrapped in $, such as $host$or $value$. I thought the below would work, but it is not. Can someone point out what I am doing wrong? Thanks!

| eval dollar_sign=if(host_value=="$host$" OR host_value=="$value$", "yes", "no")
| search NOT dollar_sign=yes

johnhuang · ‎01-27-2022

| eval dollar_sign=IF(LIKE(host_value, "$%$"), "yes", "no")

View solution in original post

ITWhisperer · ‎01-28-2022

If you are using this in a dashboard, the dollar signs have to be doubled up otherwise it is looking for tokens

| eval dollar_sign=if(host_value=="$$host$$" OR host_value=="$$value$$", "yes", "no")
| search NOT dollar_sign=yes

jason_hotchkiss · ‎01-28-2022

I will keep this in mind if I end up using this in a dashboard. Thank you @ITWhisperer

johnhuang · ‎01-27-2022

| eval dollar_sign=IF(LIKE(host_value, "$%$"), "yes", "no")

jason_hotchkiss · ‎01-28-2022

This solved my use case. Thank you @johnhuang

Using Eval to Filter Values

eval

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform