Thanks for the above info about using like. I ran into this issue when trying to match a field value inside an if.
eval Environment=if( host="*beta*","BETA","PROD" )
This returns all events with the Environment field value as PROD.
It worked as expected once I changed to:
if( like( host, "%beta%" ), "BETA", "PROD" )
@LH_SPLUNK, ususally source
name is fully qualified path of your source i.e. besides the file name it will also contain the path details. So, your condition should not find an exact match of the source filename rather than it should be a pattern of ending with filename. Following is a run anywhere example illustrating the difference in your approach vs regular expression pattern match for source using match()
| makeresults
| eval source="source_a.csv,source_b.csv,/blah/blah/source_a.csv,/blah/blah/source_b.csv"
| makemv source delim=","
| mvexpand source
| eval A=if(source == "source_a.csv", "1" , "0")
| eval B=case(match(source,"source_a.csv$"),"1",match(source,"source_b.csv$"),"0")
PS: like()
option suggested by @nickhillscpl, should also work. match()
is case sensitive.
The format I use for this is:
...|eval A=if(like(source,"%source_a.csv"), "1" , "0")
I've tried a few settings.
What can be, that the source_a.csv has a path in the field, like in the metrics.log example (source = /opt/splunk/var/log/splunk/metrics.log) , if so then you could use this if pattern.
index=_internal
| eval a=if(source like "%metrics.log","1","0")
If the field source is only "source_a.csv", then you can use the noted if pattern.
index=_internal
| eval a=if(source="metrics.log","1","0")
No need to add a double == sign. Just source="filter-string" will do. But that shouldn't break things (at least it doesn't in my test box).
Are you sure those are the source values of your events? Just the filename, no path included? Can you provide a screenshot of the actual event with the source field visible?
are you sure that source_a.csv is in any of the events? it is spelled correctly? have you tried with only one = instead of ==, not that it should make a difference at all. also, what version of splunk are you on?