You can use wildcards in field values.

Sep 13, 2017 · I have the following query : sourcetype="docker" AppDomain=Eos Level=INFO Message="Eos request calculated" | eval Val_Request_Data_Fetch_RefData=Round((Eos_Request_Data_Fetch_MarketData/1000),1) Which have 3 host like perf, castle, local. See more examples of Real-time searches and reports in the CLI in the Admin Manual. 4. Jan 31, 2024 · The following search returns events where fieldA exists and does not have the value "value2".

You can retrieve events from your indexes, using keywords, quoted phrases, wildcards, and field-value expressions. You can chain multiple eval expressions in one search using a comma to separate subsequent expressions.

Sep 12, 2014 · I'm trying to write a search that does something like the following: [some search] | eval option=case(like(field,"%_Blah"), field, 1=1, "Other") So, I want to return anything that ends with "_Blah". Field names are case sensitive, but field values are not. ^ anchors this match to the start of the line (this assumes that "T" will always be the first letter in the host field. ….

colA colB sb12121 800 sb879898 1000 ax61565 680 ax7688 909. The Splunk Search Processing Language (SPL) encompasses all the search commands and their functions, arguments and clauses. If you search for Error, any case of that term is returned such as Error, error, and ERROR.

