Sep 12, 2014 · I'm trying to write a search that does something like the following: [some search] | eval option=case(like(field,"%_Blah"), field, 1=1, "Other") So, I want to return anything that ends with "_Blah". .

Quotation marks are required when the field values include spaces. Let's try a search. Type category in the Search bar.

| search fieldA!="value2" If you use a wildcard for the value, NOT fieldA=* returns events where fieldA is null or undefined, and fieldA!=* never returns any events. Type buttercup in the Search bar. Subsearches are enclosed in square brackets within a main search and are evaluated first.

Field names are case sensitive, but field values are not. We can narrow the possibilities to the message field this way.

I want to show JobType and status. A subsearch is a search that is used to narrow down the set of events that you search on.

Use the search command to retrieve events from indexes or filter the results of a previous search command in the pipeline. For information about Boolean operators, such as AND and OR, see Boolean. Each row represents an event.

1: Saved search The user requesting the search, the user context the search is run as, the app the search came from, the search string, and the UNIX time. The Search app, the short name for the Search & Reporting app, is the primary way you navigate the data in your Splunk deployment.

index=foo message="*<<orderId>>*" OR index=foo message="*orderId\":\"<<orderId. ah, thought of an example: if you wanted to look for hosts with a specific host address, but a varying subnet - eg: 192. 168. [16-31]. 25.