Wildcard * does not work with If or Case in Splunk

gndivya · ‎11-04-2019

There are 3 different values for one particular field say field1 - "INTPAY\ITS\TD_EFT\can contain other data", "INTPAY\TD_EFT\can contain other data", "Expense_EFT\can contain other data"

Below eval statement doesn't work:

| eval Flag=case((field1 like "INTPAY%TD_EFT%" OR field1 like "INTPAY%ITS%TD_EFT%") ,"1",(field1 like "Expense_EFT%"),"2",1=1,"3")

How can I write a search to get the below requirement:

If field1 is "INTPAY\ITS\TD_EFT\can contain other data" or "INTPAY\TD_EFT\can contain other data", flag should be 1, if field1 is "Expense_EFT\can contain other data", flag should be 2. If none matches, flag should be 3.

Have tried with INTPAY\TD_EFT also.

Please help.

woodcock · ‎11-04-2019

You can use like, match, or searchmatch. Try this:

.... | eval Flag=case(
    match(field1, "^INTPAY\\(ITS\\)?TD_EFT\\") ,"1",
    match(field1, "^Expense_EFT\\"),"2",
    true(),"3")

aberkow · ‎11-04-2019

Hi - I think you can leverage the match command (https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/ConditionalFunctions#match.28SUBJ...) to achieve your desired outcome:
| makeresults count=1 | streamstats count | eval field=case(count=1, "INTPAY\\TD_EFT\\") | eval field2=case(match(field, "TD_EFT"), "1")
You can improve upon the regex outside of my suggestion if you'd like.

Hope this helps! Please accept the answer/upvote if it does.

Wildcard * does not work with If or Case in Splunk

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Wildcard * does not work with If or Case in Splunk

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability