Splunk Search

multiple like within if statement

Path Finder

In our environments, we have a standard naming convention for the servers. For example,
Front End servers: AppFE01_CA, AppFE02_NY
Middle tier servers: AppMT01_CA, AppFE09_NY
Back End servers: AppBE01_CA, AppBE08_NY

If the source contains the cpus information for all these servers, how can I use eval, if and like funcation to get avg cpus by group.

This statement works,
sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", "others")| stats avg(CPUs) by host

but multiple like failed, I got invalid eval statement

sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", host like "AppBE%CA" , "BE_CA", "others")

My goal is to get average cpus for front end, middle tier and back end servers by data center in the same graph.

Thanks in advance.

Tags (1)
0 Karma

Path Finder

Thank you, Kristian. It works.

0 Karma


Please mark the answer as accepted. Thank you.

0 Karma

Ultra Champion


Something along the lines of:

sourcetype=<your_sourcetype> | eval hostgroup=case(host LIKE "%BE%", "BE", host LIKE "%MT%", "MT",  host LIKE "%FE%", "FE", host LIKE "%", "Others") | stats dc(host) by hostgroup

hope this helps,



Unfortunately case does not seem to work as an expression in Color palette types and options. Any ideas for a nested if/LIKE statement?


0 Karma


You can shorten this:

host LIKE "%", "Others"


1=1, "Others"

Since both above is true, this will be true of noen of the other is true.

0 Karma


Use case instead of if.

More info on the different available eval functions: docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...