HI All,
How to pass regular expression to the variable to match command? Please help..
in Following search query we need to pass the value for nonsupporting days dynamically based on the criteria.
| gentimes start=-1 | eval CreateDateEpoch="1412136000" | table CreateDateEpoch | eval start=relative_time(CreateDateEpoch,"@d") | eval end=relative_time(now(),"@d") | eval Date=mvrange(start,end+86400,86400) | convert ctime(Date) timeformat="%+" | eval NoOfBusinessDays=mvcount(mvfilter(NOT match(Date,"(Sun|Sat).*")))
Ex:
eval nonsupport=if(value=1,"(Sun|Sat).*","(Mon|Sun).") | eval NoOfBusinessDays=mvcount(mvfilter(NOT match(Date,nonsupport*))
Thanks
Sathish Rangan
You can either do this with a macro
or with map
. For an example of the latter, check out this answer:
https://answers.splunk.com/answers/386488/regex-in-lookuptable.html
A untested idea: put the variable name within single-quotes. ... | match(Date, 'nonsupport') ...
not working ;(