Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using match to see if a container begins with a string and setting a value as a result

SleepyGuy
Engager
‎07-12-2024 12:56 AM

I am trying to write a search query as part of our alerting.  The intention is that if search results come from a certain container (kubernetes.container_name) e.g. service1, service2 or service3 then I should set a priority of 2.

The problem is that the service names have a version number appended to them e.g. service1-v1-0 or service3-v3-0b to give two such examples.

My intention was to use a combination of 'if' and 'match' with a wildcard to achieve this but it doesn't seem to work.  The reason for me using this was that the start of the container_name would remain the same and as the version numbers change the search that I'm attempting to write should be future proofed.

| eval priority = if(match(kubernetes.container_name, "^service1-v*|^service2-v*|^service3*"), "2", "Not set")

However these are returning "Not set" even when the expected kubernetes.container_name is used.

Can someone help me understand why this isn't working, how to fix and whether there might be a better way of doing this?

Thanks!

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2024 02:01 AM

The match function uses regex so the wildcards are different - try this

| eval priority = if(match(kubernetes.container_name, "^service1-v.*|^service2-v.*|^service3.*"), "2", "Not set")
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...