Hi there,  I'm new to Splunk, but I've been making some progress. I'm trying to compare traffic going from one zone to another zone, and to filter out expected traffic. For example, I have the hosts Dr Pepper, Pepsi, coke, sprite, and I need to see if theyre talking to each other when they shouldn't be These all have various hosts that could be something like "pepsi-public-dmz", or "test_drpepper_internet_transit" However a few of them could also contain 2 of the variables, such as "coke-combo-pepsi"  I need to determine a way of searching the variable strings, and comparing the values found against any values found in the other string   I've managed to do this by using case and like, to determine if a string has the word in there ,then comparing it to the the src_zone using the code below: | eval dest_test=case(like(dest_zone ,"%coke%") ,"coke", like(dest_zone ,"%pepsi%") ,"pepsi", like(dest_zone ,"%pepper%") ,"pepper", like(dest_zone ,"%sprite%") ,"sprite", 1<2, "Not found1") | eval src_test=case(like(src_zone ,"%coke%") ,"coke", like(src_zone ,"%pepsi%") ,"pepsi", like(src_zone ,"%dr-pepper%") ,"dr-pepper", like(src_zone ,"%sprite%") ,"sprite", 1<2, "Not found2") | eval outcome = if(src_test == dest_test, "match", "no match") | eval concat_z2z = if(outcome == "no match" , (dest_zone . " : " . src_zone), "Expected" | where concat_z2z != "Expected" | table concat_z2z This provides a list of all traffic that is not going from something marked "pepsi", to another host marked "pepsi", but as it searches in order with case, it doesn't find when something has 2 of the keywords in it.   If I was using Python id do a for/while loop to look through all the variables of the keywords, but I cannot figure it out for the life of me here. The final bit, this isn't exactly scalable either, as you'd have to edit the list each time a new host provider was added. Help? PS. I realize the code is messy, as I said, I'm still new to this. ... View more