Splunk Search

Why is the splunk eval case with special characters not working?

Chandras11
Communicator

Hi everyone,

when I try to use the following command, it always gives in CA_flag as "Other" although lower_Ticket_Desc has a exact maching term. Is there something, which I am not doing correctly here :

| eval lower_Ticket_Desc = lower(TICKET_DESC)| rex field=lower_Ticket_Desc mode=sed "s/ //g"|eval CA_flag = case(lower_Ticket_Desc=="[yes/no]:no" ,"Flag_NO" ,lower_Ticket_Desc=="[yes/no]:yes"  ,"Flag_YES" , 1=1, "Other" )  | 

I have removed all blank spaces and converted everything to lower case.

TICKET_DESC example = "asdfjkasdhf [Yes/No]: No dfasjaskl" Or "asdfjkasdhf [Yes/No]:no asdfadsf" or "asdfjkasdhf [Yes/No]: YES asdfadsf"

Tags (2)
0 Karma
1 Solution

FrankVl
Ultra Champion

That's because your case statement uses == comparison operator, which requires an exact match. While your match string is a substring of the actual field value.

Try the following using like() and adding % signs before and after the match string:

| eval lower_Ticket_Desc = lower(TICKET_DESC) 
| rex field=lower_Ticket_Desc mode=sed "s/ //g" 
| eval CA_flag = case(like(lower_Ticket_Desc,"%[yes/no]:no%") ,"Flag_NO" ,like(lower_Ticket_Desc,"%[yes/no]:yes%") ,"Flag_YES" , 1=1, "Other" )

View solution in original post

niketn
Legend

@Chandras11, please try the following case() statement

| eval CA_flag = case(match(lower_Ticket_Desc,"^\[yes\/no\]:no$") ,"Flag_NO",
                     match(lower_Ticket_Desc,"^\[yes\/no\]:yes$") ,"Flag_YES",
                     1=1, "Other")

Following is a run anywhere search for testing:

| makeresults 
| eval lower_Ticket_Desc="[yes/no]:yes" 
| eval CA_flag = case(match(lower_Ticket_Desc,"^\[yes\/no\]:no$") ,"Flag_NO",
                 match(lower_Ticket_Desc,"^\[yes\/no\]:yes$") ,"Flag_YES",
                 1=1, "Other")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

FrankVl
Ultra Champion

I don't think those regular expressions are correct, given that the field values look like this (according to his examples): "asdfjkasdhf [Yes/No]: No dfasjaskl"

If your regex would have been correct, then his original == would also have worked, right?

Just remove the ^ and $ signs and it would work.

0 Karma

FrankVl
Ultra Champion

That's because your case statement uses == comparison operator, which requires an exact match. While your match string is a substring of the actual field value.

Try the following using like() and adding % signs before and after the match string:

| eval lower_Ticket_Desc = lower(TICKET_DESC) 
| rex field=lower_Ticket_Desc mode=sed "s/ //g" 
| eval CA_flag = case(like(lower_Ticket_Desc,"%[yes/no]:no%") ,"Flag_NO" ,like(lower_Ticket_Desc,"%[yes/no]:yes%") ,"Flag_YES" , 1=1, "Other" )

niketn
Legend

@FrankVl, nothing new... again you beat me to it. I posted a different approach but too late 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Chandras11
Communicator

@niketnilay : Its always good to have more than one approach:)

0 Karma

Chandras11
Communicator

Thanks Frank.. you reduced one common mistake, which I do regularly 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...