Splunk Search
Highlighted

how to use a wild card in if condition in eval?

Builder

I have an eval condition as below which is working good.

| eval Project=if(app=="abc_def_123", "XYZ", "ZXT")

Now If I have given a wild card as shown below it's not working. How can I apply the wild card as shown below and get the required results?

| eval Project=if(app=="abc_*", "XYZ", "ZXT")
0 Karma
Highlighted

Re: how to use a wild card in if condition in eval?

Esteemed Legend

You cannot; you must use something else like like or match or searchmatch like this:

... | eval Project=if(match(app, "^abc_"), "XYZ", "ZXT")
0 Karma