- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: LIKE() with wildcard within an IF statement
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LIKE() with wildcard within an IF statement
Can anybody tell me why this LIKE statement using a wildcard errors out within an IF statement in a form search, but not in the standard search box?
Here's the whole form search:
<searchTemplate>
index=test
[stats count | eval search=(
if("$VAR$"=="empty"," "," | where like(field,%$VAR$%) ")
)
| fields - count ]
</searchTemplate>
The part that never works is the LIKE statement % (the search wildcard):
| where like(field,%$VAR$%)
I have tried using ASCII instead of symbol %, and quotes in different places. The error I receive is: "Error in 'eval' command: Typechecking failed. '%' only takes numbers."
However, in standard search,:
| where like(field,%stuff%)
works just fine.
FYI: I am using 4.0.11 - it appears LIKE may function differently than newer versions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know its too late to reply but not too late to contribute.
I am working on same kind of thing here my query which worked for me .
|where like(label,"%"+"$Token_Name$"+"%") OR like(label,"%"+"$Token_Name_part$"+"%")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The above syntax of including "%" in a separate set of quotes from the token, did not work for me. After a lot of trial and error, what worked was this, ie., encapsulating the "%" within the SAME SET of quotes as the token:
| where like(label,"%$Token_Name$%")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oiResult=failure | where like(oiErrorString, "%5 - invalid truck number DSN%")
Works for me with version 6.0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you paste this search into the Summary view of search, does it seem to land in the flash timeline intact?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm letting a user put a string into a search box, and if the search box is not empty I am searching for things that contain that string.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eval and where require that the pattern for a LIKE expression be a string literal. Your syntax should be | where like(field,"%stuff%"). I think that it's working in some of the cases because the UI is injecting quotes (where they don't necessarily belong).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried both " and ". Both produce an error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you clarify what the output of the search should be? It appears that you're trying to generate SQL-like search syntax within the search language -- there probably is a simpler way to achieve what you want.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
