Followers

Thursday, May 14

Usage of Splunk EVAL Function : SEARCHMATCH

                                         Usage of Splunk EVAL Function : SEARCHMATCH


       Returns true if the event matches the search string X.




      Find below the skeleton of the usage of the function "searchmatch" with EVAL : 

                                               searchmatch(X)




index=_internal 
| eval AA=if(searchmatch("Queue Full"),"Exists","NOT")






Explanation :

             If any event in the "_internal" index is having 
             "Queue Full" String in it, then "Exists" will be 
             stored in the "AA" field which is newly created.
             If not then "NOT" will be stored in the "AA"

             So, there are total 5990 lines with "Queue Full
             and 5452 without "Queue Full"
           


Verification :


   index=_internal 
   | eval AA=if(searchmatch("Queue Full"),"Exists","NOT")
   | search AA="Exists"


Only those lines will appear which has "Exists" value in AA field,
which means "Queue Full" string is there in the event.







Similarly , you can also verify for AA="NOT" and you will get 
only those lines which do not contain "Queue Full" String in it.



Now you can effectively utilize "searchmatch" function with "eval" command to meet your requirement !!


Hope you are now comfortable in :
Usage of Splunk EVAL Function : SEARCHMATCH


HAPPY SPLUNKING !!

2 comments:

Unknown said...

wonderful information, I had come to know about your blog from my friend nandu , hyderabad,i have read atleast 7 posts of yours by now, and let me tell you, your website gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanks a ton once again,
Regards, splunk training in hyderabad

sankar said...

nice post.informatica online training from india