- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search that uses some wildcards:
sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT
| rex field=_raw "USER (?P<registrar>\[\d+-\w\w\]) downloading .*/(?<filename>.+?)$"
| search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf
| eval Actual=case(filename="Statement.pdf","Billing Statement",
filename="Invoice.pdf","Billing Invoice",
filename="text.txt","Billing Text",
filename="*-*.pdf","Scorecard",
filename="*-*_invoice.html","Drilldown Invoice")
You'll notice at the end of my eval command I used wildcards for the filenames. However, when I run this search the 2 filenames I identified in the eval command that are using wildcards will NOT show up in the Actual field. They show up as events and I can clearly see a line from the logs containing these filenames, but they aren't being assigned the filename I specified in the eval command.
Does eval not like wildcards???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1b197/1b197b09c45bbfae72b1198f045addd16a8a2cdb" alt="lguinn2 lguinn2"
No, eval does not like wildcards. And you should also be using == instead of = in your case statement. Try the match function to deal with wildcards explicitly - but remember that match uses regular expressions.
sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT
| rex field=_raw "USER (?P<registrar>\[\d+-\w\w\]) downloading .*/(?<filename>.+?)$"
| search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf
| eval Actual=case(filename=="Statement.pdf","Billing Statement",
filename=="Invoice.pdf","Billing Invoice",
filename=="text.txt","Billing Text",
match(filename,".*-.*\.pdf$"),"Scorecard",
match(filename,".*-.*_invoice\.html$"),"Drilldown Invoice")
This may work. Please comment if it doesn't!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1b197/1b197b09c45bbfae72b1198f045addd16a8a2cdb" alt="lguinn2 lguinn2"
No, eval does not like wildcards. And you should also be using == instead of = in your case statement. Try the match function to deal with wildcards explicitly - but remember that match uses regular expressions.
sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT
| rex field=_raw "USER (?P<registrar>\[\d+-\w\w\]) downloading .*/(?<filename>.+?)$"
| search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf
| eval Actual=case(filename=="Statement.pdf","Billing Statement",
filename=="Invoice.pdf","Billing Invoice",
filename=="text.txt","Billing Text",
match(filename,".*-.*\.pdf$"),"Scorecard",
match(filename,".*-.*_invoice\.html$"),"Drilldown Invoice")
This may work. Please comment if it doesn't!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f369c/f369c8a762c9b23017dfca4a7138d2259a5b46d7" alt="rfiscus rfiscus"
Worked for me as well, thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
worked!!
Thanks. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It did work. Thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, sorry for downvote misclick. I look at it again and match function is very useful.
data:image/s3,"s3://crabby-images/a266d/a266d0c80c12793a952b209c17cc3de41b17fc89" alt=""