searchmatch is a somewhat odd command in that it is looking at the :"EVENT" i.e. it must have a _raw. If you run this | makeresults
| eval _raw="ONE TWO THREE"
| eval result=if(searchmatch("THREE T...
See more...
searchmatch is a somewhat odd command in that it is looking at the :"EVENT" i.e. it must have a _raw. If you run this | makeresults
| eval _raw="ONE TWO THREE"
| eval result=if(searchmatch("THREE TWO"), 1, 0) You will see result=1, but if you run | makeresults
| eval _raw="ONE TWO THREE"
| eval result=if(searchmatch("THREEX TWO"), 1, 0) You will see result=0 Also if you run | makeresults
| eval fieldstring="ONE TWO THREE"
| eval result=if(searchmatch("XX YY"), 1, 0) You will also see result=1 - odd - but that's the way it seems to handle a null _raw field. I am not sure why it finds a result when _raw is not present. Note the example given in the documentation, which further confuses https://docs.splunk.com/Documentation/Splunk/9.4.1/SearchReference/ConditionalFunctions#searchmatch.28.26lt.3Bsearch_str.26gt.3B.29 | makeresults 1
| eval _raw = "x=hi y=bye"
| eval x="hi"
| eval y="bye"
| eval test=if(searchmatch("x=hi y=*"), "yes", "no")
| table _raw test x y If you set _raw to be "x=low..." then the match will fail, so in this case, it's comparing the match against the specific field x where it has a value different to the _raw content. Anyway, your example sets a specific single string to be a fixed value, so if you do this | makeresults
| eval fieldstring="ONE TWO THREE"
| eval result=if(searchmatch("fieldstring=\"ONE TWO THREE\""), 1, 0) You will get a correct match, but if you change the match text, it will give you result=0. Hope I've not managed to confuse you too much!