Greetings guys.
Like my other posts today, I'm trying to find workarounds for splunk's inability to search for a literal asterisk. I am working on call detail records, in which there is a field showing the exact buttons a user pressed on their phone. For feature usage like *69, this becomes a big PITA.
For this search, the "DIALED_DIGITS" field can contain *68 or #68, one enables a feature, the other disables it.
Here is my search:
index=PHONE
|regex Dialed_Digits="(\*68|#68).*"
|eval Feature_Code=case((like(Dialed_Digits,"%68%") NOT like(Dialed_Digits,"%#68%")),"Line Feature - Enable")
|table Feature_Code
There are more feature codes to be searched for, hence using the case function. Running it returns an error stating "Error in 'eval' command: The expression is malformed. Expected )."
I have quadruple checked to make sure my syntax is correct, and have similar searches (using OR, but not NOT). I can't figure out what the issue is unless its a problem with using NOT.
Any advice would really be appreciated.
You need to explicitly specify the AND condition, it isn't implicitly added automatically in eval
. So, instead of "... NOT like(...
" you need "... AND NOT like(...
"
You need to explicitly specify the AND condition, it isn't implicitly added automatically in eval
. So, instead of "... NOT like(...
" you need "... AND NOT like(...
"
That worked, thank you