There are 3 different values for one particular field say field1 - "INTPAY\ITS\TD_EFT\can contain other data", "INTPAY\TD_EFT\can contain other data", "Expense_EFT\can contain other data"
Below eval statement doesn't work:
| eval Flag=case((field1 like "INTPAY%TD_EFT%" OR field1 like "INTPAY%ITS%TD_EFT%") ,"1",(field1 like "Expense_EFT%"),"2",1=1,"3")
How can I write a search to get the below requirement:
If field1 is "INTPAY\ITS\TD_EFT\can contain other data" or "INTPAY\TD_EFT\can contain other data", flag should be 1, if field1 is "Expense_EFT\can contain other data", flag should be 2. If none matches, flag should be 3.
Have tried with INTPAY\TD_EFT also.
Please help.
You can use like
, match
, or searchmatch
. Try this:
.... | eval Flag=case(
match(field1, "^INTPAY\\(ITS\\)?TD_EFT\\") ,"1",
match(field1, "^Expense_EFT\\"),"2",
true(),"3")
Hi - I think you can leverage the match
command (https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/ConditionalFunctions#match.28SUBJ...) to achieve your desired outcome:
| makeresults count=1
| streamstats count
| eval field=case(count=1, "INTPAY\\TD_EFT\\")
| eval field2=case(match(field, "TD_EFT"), "1")
You can improve upon the regex outside of my suggestion if you'd like.
Hope this helps! Please accept the answer/upvote if it does.