- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Having Trouble With CASE
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is what I am using:
| eval siteName = case (Destination_IP == "199.47.*", dropbox.com)
I have tried everything and it is not working. Do you think it is because of the numbers "199.47.*"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval siteName = case(match(Destination_IP, "^199\.47\..*$"), "dropbox.com")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval siteName = case(match(Destination_IP,"^199\.47\..*”), "dropbox.com", match(Destination_IP,“^85\.17\.30\..*"), "megadownload.net", match(Destination_IP,"^195\.122\.131\..*"), "rapidshare.com")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the real answer. thanks this fixed the issue. you are a regex guru. thanks again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval siteName = case(match(Destination_IP, "^199\.47\..*$"), "dropbox.com")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see now, / characters where removed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK I think I understand well not relay
So if I want to use case to get a variable named siteName and I have three possible sites identified by three possible IP’s I would normally use this
'| eval siteName = case (Destination_IP == "199.47.”, dropbox.com, Destination_IP == “85.17.30.", megadownload.net, Destination_IP == "195.122.131.*", rapidshare.com)'
But this isn’t working and the multiple matches are not working. Do you have any other suggestions for CASE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the second argument of match function is a regex and "^199.47..$" in you example is not equal with "^199.47..*$" as I had suggested
http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Opps the match doesn't seem to work in case
'| eval siteName = case(match(Destination_IP, "^199.47..$"), "dropbox.com",match(Destination_IP, "^85.17.30.$"), "megadownload.net",match(Destination_IP, "^195.122.131.*$"), "rapidshare.com")'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HURA you are brilliant thanks
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
