Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eval wildcards

gnovak
Builder
‎08-09-2012 02:25 PM

I have a search that uses some wildcards:

sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT 
| rex field=_raw "USER (?P<registrar>\[\d+-\w\w\]) downloading .*/(?<filename>.+?)$" 
| search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf 
| eval Actual=case(filename="Statement.pdf","Billing Statement",
                   filename="Invoice.pdf","Billing Invoice",
                   filename="text.txt","Billing Text",
                   filename="*-*.pdf","Scorecard",
                   filename="*-*_invoice.html","Drilldown Invoice")

You'll notice at the end of my eval command I used wildcards for the filenames. However, when I run this search the 2 filenames I identified in the eval command that are using wildcards will NOT show up in the Actual field. They show up as events and I can clearly see a line from the logs containing these filenames, but they aren't being assigned the filename I specified in the eval command.

Does eval not like wildcards???

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-09-2012 03:04 PM

No, eval does not like wildcards. And you should also be using == instead of = in your case statement. Try the match function to deal with wildcards explicitly - but remember that match uses regular expressions.

sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT 
| rex field=_raw "USER (?P<registrar>\[\d+-\w\w\]) downloading .*/(?<filename>.+?)$" 
| search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf 
| eval Actual=case(filename=="Statement.pdf","Billing Statement",
                   filename=="Invoice.pdf","Billing Invoice",
                   filename=="text.txt","Billing Text",
                   match(filename,".*-.*\.pdf$"),"Scorecard",
                   match(filename,".*-.*_invoice\.html$"),"Drilldown Invoice")

This may work. Please comment if it doesn't!

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-09-2012 03:04 PM

No, eval does not like wildcards. And you should also be using == instead of = in your case statement. Try the match function to deal with wildcards explicitly - but remember that match uses regular expressions.

sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT 
| rex field=_raw "USER (?P<registrar>\[\d+-\w\w\]) downloading .*/(?<filename>.+?)$" 
| search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf 
| eval Actual=case(filename=="Statement.pdf","Billing Statement",
                   filename=="Invoice.pdf","Billing Invoice",
                   filename=="text.txt","Billing Text",
                   match(filename,".*-.*\.pdf$"),"Scorecard",
                   match(filename,".*-.*_invoice\.html$"),"Drilldown Invoice")

This may work. Please comment if it doesn't!

Reply
Solved! Jump to solution

rfiscus
Path Finder
‎09-22-2016 02:13 PM

Worked for me as well, thank you!

0 Karma
Reply
Solved! Jump to solution

smitra_splunk
Splunk Employee
Splunk Employee
‎10-19-2017 09:45 PM

worked!!
Thanks. 🙂

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎08-10-2012 08:21 AM

It did work. Thank you very much!

0 Karma
Reply
Solved! Jump to solution

psciegienny
New Member
‎07-14-2015 01:14 PM

Hi, sorry for downvote misclick. I look at it again and match function is very useful.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...