Using like() in a case statement not working

msarro · ‎03-13-2012

Hey everyone. I am working with telephone records, and am trying to work around Splunk's inability to search for literal asterisks(*). To work around I am using a regex to select only records starting with * or #, and then I am trying to use a case statement in eval to figure out what type of feature is being used by our customer.

Example values of MYSOURCEFIELD (not exhaustive): *67, #31, *82

Here is the search currently, it only searches for the first 2 cases:

index=MYSOURCE|regex MYSOURCEFIELD="(\*|#)(31|67|82|65|77|87)"|eval Feature_Code=case(like(MYSOURCEFIELD,"%31"),"Caller ID Blocking Per Line",like(MYSOURCEFIELD,"%67"),"Caller ID Blocking Per Call")|table Feature_Code

This returns nothing, even though I know a significant number of both are being utilized and can even be seen without the eval/case statement. Any suggestions on how to make the case statement work would be really appreciated, thank you.

schava · ‎03-22-2012

Were you able to do this in steps, first evaluating your data -
index = my_source - did return some events,
index = my_source | regex my_source_field="(*|#)(31|67|82|65|77|87)" - did populate the field my_source_field,
then if that is the case, try adding the following
| eval feature_code = case(my_source_field like "%31%","Caller ID Blocking Per Line",my_source_field like "%67%","Caller ID Blocking Per Call") | table feature_code

Nextbeat · ‎04-06-2018

Your example definitely helped me get case working with like.

Using like() in a case statement not working

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?