How do I use an eval command with a case function ...

Chandras11 · ‎11-30-2018

hi,

I have a field PORT_DESC with the values as:
"somethings sdsa Device:XYZ PORT: 1.2.3 BackPort: 4.5.6 some other text"
"somethings Othertext Device: PORT: BackPort: some other text"
Now I need to define a Port_Flag separating these values as:

eval Port_Flag= case(like(PORT_DESC,"%PORT:  BackPort:%"), "Flag_NO",like(PORT_DESC,"%PORT: 1.2.3 BackPort:%"),"Flag_YES",1=1,"Other")

However, the Port value can be anything such as 1.2.3 or CRMT or vw3d.

How can I separate these values where either no Port value is given or some value is assigned? Any regular expression will also be a great help, which can define

PORT:[Anything 0-9 or A-Z or a-z $%&/()]  BackPort:

Thanks in advance.

richgalloway · ‎11-30-2018

Instead of using like in your case statement, use match. The match function accepts regular expressions. For example,

eval Port_Flag= case(match(PORT_DESC,"PORT: BackPort:.*"), "Flag_NO", match(PORT_DESC,"PORT: .*? BackPort:.*"), "Flag_YES",1=1,"Other")

---
If this reply helps you, Karma would be appreciated.

Chandras11 · ‎11-30-2018

Thanks for the info. However, .*? take everything. How can I remove not 1 but any number fo space characters there?

richgalloway · ‎11-30-2018

.*? is non-greedy and should stop at " BackPort". \S+ is an alterative (perhaps a better one).

---
If this reply helps you, Karma would be appreciated.

whrg · ‎11-30-2018

Try: PORT: [^ ]+ BackPort:

How do I use an eval command with a case function with regex to separate the blank vs any character?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases