Using like() in a case statement not working

msarro · ‎03-13-2012

Hey everyone. I am working with telephone records, and am trying to work around Splunk's inability to search for literal asterisks(*). To work around I am using a regex to select only records starting with * or #, and then I am trying to use a case statement in eval to figure out what type of feature is being used by our customer.

Example values of MYSOURCEFIELD (not exhaustive): *67, #31, *82

Here is the search currently, it only searches for the first 2 cases:

index=MYSOURCE|regex MYSOURCEFIELD="(\*|#)(31|67|82|65|77|87)"|eval Feature_Code=case(like(MYSOURCEFIELD,"%31"),"Caller ID Blocking Per Line",like(MYSOURCEFIELD,"%67"),"Caller ID Blocking Per Call")|table Feature_Code

This returns nothing, even though I know a significant number of both are being utilized and can even be seen without the eval/case statement. Any suggestions on how to make the case statement work would be really appreciated, thank you.

schava · ‎03-22-2012

Were you able to do this in steps, first evaluating your data -
index = my_source - did return some events,
index = my_source | regex my_source_field="(*|#)(31|67|82|65|77|87)" - did populate the field my_source_field,
then if that is the case, try adding the following
| eval feature_code = case(my_source_field like "%31%","Caller ID Blocking Per Line",my_source_field like "%67%","Caller ID Blocking Per Call") | table feature_code

Nextbeat · ‎04-06-2018

Your example definitely helped me get case working with like.

Using like() in a case statement not working

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7