- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using like() in a case statement not working
Hey everyone. I am working with telephone records, and am trying to work around Splunk's inability to search for literal asterisks(*). To work around I am using a regex to select only records starting with * or #, and then I am trying to use a case statement in eval to figure out what type of feature is being used by our customer.
Example values of MYSOURCEFIELD (not exhaustive): *67, #31, *82
Here is the search currently, it only searches for the first 2 cases:
index=MYSOURCE|regex MYSOURCEFIELD="(\*|#)(31|67|82|65|77|87)"|eval Feature_Code=case(like(MYSOURCEFIELD,"%31"),"Caller ID Blocking Per Line",like(MYSOURCEFIELD,"%67"),"Caller ID Blocking Per Call")|table Feature_Code
This returns nothing, even though I know a significant number of both are being utilized and can even be seen without the eval/case statement. Any suggestions on how to make the case statement work would be really appreciated, thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Were you able to do this in steps, first evaluating your data -
index = my_source - did return some events,
index = my_source | regex my_source_field="(*|#)(31|67|82|65|77|87)" - did populate the field my_source_field,
then if that is the case, try adding the following
| eval feature_code = case(my_source_field like "%31%","Caller ID Blocking Per Line",my_source_field like "%67%","Caller ID Blocking Per Call") | table feature_code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your example definitely helped me get case working with like.
