Solved: Using Eval to Filter Values

jason_hotchkiss · ‎01-27-2022

Hello Splunkers -

I am trying to filter any value that is wrapped in $, such as $host$or $value$. I thought the below would work, but it is not. Can someone point out what I am doing wrong? Thanks!

| eval dollar_sign=if(host_value=="$host$" OR host_value=="$value$", "yes", "no")
| search NOT dollar_sign=yes

johnhuang · ‎01-27-2022

| eval dollar_sign=IF(LIKE(host_value, "$%$"), "yes", "no")

View solution in original post

ITWhisperer · ‎01-28-2022

If you are using this in a dashboard, the dollar signs have to be doubled up otherwise it is looking for tokens

| eval dollar_sign=if(host_value=="$$host$$" OR host_value=="$$value$$", "yes", "no")
| search NOT dollar_sign=yes

jason_hotchkiss · ‎01-28-2022

I will keep this in mind if I end up using this in a dashboard. Thank you @ITWhisperer

johnhuang · ‎01-27-2022

| eval dollar_sign=IF(LIKE(host_value, "$%$"), "yes", "no")

jason_hotchkiss · ‎01-28-2022

This solved my use case. Thank you @johnhuang

Using Eval to Filter Values

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation