- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- splunk eval case statement compare the case-sensit...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone,
I have a very small conceptual doubt. Does the eval case do case insensitive compare or will it compare the exact values (Case sensitive only)? I need a case-insensitive comparison here.
LINE_CODE value examples:- AMx05323, amy4bl124, bmz4265678 etc. If the first Character is a or A (case insensitive "a", it should return Atlanta otherwise it should return Other.
Do the following 2 statements will provide the same results or different.
| eval REGION_ID = (substr(LINE_CODE,1,1)="a") OR (substr(LINE_CODE,1,1)="A")) ,"Atlanta", 1=1,"Other")
and
| eval REGION_ID = substr(LINE_CODE,1,1)="a" ,"Atlanta" , 1=1," Other")
Thanks for your time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's easy enough to test:
| makeresults
| eval LINE_CODE="Abcd"
| append [
| makeresults
| eval LINE_CODE="abcd"
]
| eval REGION_ID = case(substr(LINE_CODE,1,1)="a","Atlanta", 1=1," Other")
Which results in:
LINE_CODE REGION_ID
Abcd Other
abcd Atlanta
Conclusion: it is case sensitive. To make it insensitive, simply cast to lowercase before testing:
| eval REGION_ID = case(lower(substr(LINE_CODE,1,1))="a","Atlanta", 1=1," Other")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default, the lookups are case-insensitive but if you create a Lookup definition mapped to your Lookup file then you can specify MANY things, including case-sensitive vs. case-insensitive and also WILDCARD and CIDR based fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's easy enough to test:
| makeresults
| eval LINE_CODE="Abcd"
| append [
| makeresults
| eval LINE_CODE="abcd"
]
| eval REGION_ID = case(substr(LINE_CODE,1,1)="a","Atlanta", 1=1," Other")
Which results in:
LINE_CODE REGION_ID
Abcd Other
abcd Atlanta
Conclusion: it is case sensitive. To make it insensitive, simply cast to lowercase before testing:
| eval REGION_ID = case(lower(substr(LINE_CODE,1,1))="a","Atlanta", 1=1," Other")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect, thanks for the explanation. is there any way to remove if there is a blank space in from of LINE_CODE for example:- LINE_CODE = " Abrd"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot.. It looks like the excel TRIM function. 🙂 I can go ahead easily now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look at the trim() command: http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/TextFunctions#trim.28X.2CY.29
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
