Splunk Search

Why is the splunk eval case with special characters not working?

Communicator

Hi everyone,

when I try to use the following command, it always gives in CA_flag as "Other" although lower_Ticket_Desc has a exact maching term. Is there something, which I am not doing correctly here :

| eval lower_Ticket_Desc = lower(TICKET_DESC)| rex field=lower_Ticket_Desc mode=sed "s/ //g"|eval CA_flag = case(lower_Ticket_Desc=="[yes/no]:no" ,"Flag_NO" ,lower_Ticket_Desc=="[yes/no]:yes"  ,"Flag_YES" , 1=1, "Other" )  | 

I have removed all blank spaces and converted everything to lower case.

TICKET_DESC example = "asdfjkasdhf [Yes/No]: No dfasjaskl" Or "asdfjkasdhf [Yes/No]:no asdfadsf" or "asdfjkasdhf [Yes/No]: YES asdfadsf"

Tags (2)
0 Karma
1 Solution

Ultra Champion

That's because your case statement uses == comparison operator, which requires an exact match. While your match string is a substring of the actual field value.

Try the following using like() and adding % signs before and after the match string:

| eval lower_Ticket_Desc = lower(TICKET_DESC) 
| rex field=lower_Ticket_Desc mode=sed "s/ //g" 
| eval CA_flag = case(like(lower_Ticket_Desc,"%[yes/no]:no%") ,"Flag_NO" ,like(lower_Ticket_Desc,"%[yes/no]:yes%") ,"Flag_YES" , 1=1, "Other" )

View solution in original post

SplunkTrust
SplunkTrust

@Chandras11, please try the following case() statement

| eval CA_flag = case(match(lower_Ticket_Desc,"^\[yes\/no\]:no$") ,"Flag_NO",
                     match(lower_Ticket_Desc,"^\[yes\/no\]:yes$") ,"Flag_YES",
                     1=1, "Other")

Following is a run anywhere search for testing:

| makeresults 
| eval lower_Ticket_Desc="[yes/no]:yes" 
| eval CA_flag = case(match(lower_Ticket_Desc,"^\[yes\/no\]:no$") ,"Flag_NO",
                 match(lower_Ticket_Desc,"^\[yes\/no\]:yes$") ,"Flag_YES",
                 1=1, "Other")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Ultra Champion

I don't think those regular expressions are correct, given that the field values look like this (according to his examples): "asdfjkasdhf [Yes/No]: No dfasjaskl"

If your regex would have been correct, then his original == would also have worked, right?

Just remove the ^ and $ signs and it would work.

0 Karma

Ultra Champion

That's because your case statement uses == comparison operator, which requires an exact match. While your match string is a substring of the actual field value.

Try the following using like() and adding % signs before and after the match string:

| eval lower_Ticket_Desc = lower(TICKET_DESC) 
| rex field=lower_Ticket_Desc mode=sed "s/ //g" 
| eval CA_flag = case(like(lower_Ticket_Desc,"%[yes/no]:no%") ,"Flag_NO" ,like(lower_Ticket_Desc,"%[yes/no]:yes%") ,"Flag_YES" , 1=1, "Other" )

View solution in original post

SplunkTrust
SplunkTrust

@FrankVl, nothing new... again you beat me to it. I posted a different approach but too late 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Communicator

@niketnilay : Its always good to have more than one approach:)

0 Karma

Communicator

Thanks Frank.. you reduced one common mistake, which I do regularly 🙂

0 Karma