Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: eval match with NOT condition
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've figured out how to use the match condition to use a wildcard in my eval, however now I need to put at NOT with it and I'm stuck.
I have this which works
| eval NewDocType = case(match(Indexer,"ID*"),Document_Type)
But now I need the opposite where Indexer does NOT start with ID* to fill the field OriginalDocType with the Document_Type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just do like this
| eval NewDocType = case(NOT match(Indexer,"^ID"),Document_Type)
With match you can do partial match, no wildcard required. It actually uses regular expression (not like search wildcard), so your current expression will match all Indexer with which have ID* (0 or more occurrence of alphabet D)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kmaron, try the following match condition for finding indexers not starting with ID:
| eval OriginalDocType=case(match(indexer,"^(?!^ID).*"),DocumentType)
Following is a run anywhere example.
| makeresults
| fields - _time
| eval indexer="ID3489724,SID203984,IDKJERH897,ADID90842ID"
| makemv indexer delim=","
| mvexpand indexer
| eval DocumentType="Test"
| eval OriginalDocType=case(match(indexer,"^(?!^ID).*"),DocumentType)
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I ran this your way and then with the NOT that @somesoni2 mentioned the NOT came out a tiny bit faster but it's extremely fast in my tiny search anyway so the difference is negligible. Do you know which one would be more efficient?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kmaron Use Job Inspector with some significant amount of data to test out the performance.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just do like this
| eval NewDocType = case(NOT match(Indexer,"^ID"),Document_Type)
With match you can do partial match, no wildcard required. It actually uses regular expression (not like search wildcard), so your current expression will match all Indexer with which have ID* (0 or more occurrence of alphabet D)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems so simple to just stick a NOT in there. Thank you for explaining about match!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kmaron, to mark this question as answered, please accept the answer if this has helped.
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas
Analytics Workspace deprecation
Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform
