Returns true if the event matches the search string X.
Find below the skeleton of the usage of the function “searchmatch” with EVAL :
searchmatch(X)
index=_internal
| eval AA=if(searchmatch(“Queue Full”),”Exists”,”NOT”)
Explanation :
If any event in the “_internal” index is
having “Queue Full” String in it, then
“Exists” will be stored in the “AA” field
which is newly created.If not then “NOT”
will be stored in the “AA” So, there are
total 5990 lines with “Queue Full” and
5452 without “Queue Full“
Verification :
index=_internal
| eval AA=if(searchmatch(“Queue Full”),
“Exists”,”NOT”)
| search AA=”Exists”
Only those lines will appear which has “Exists”
value in AA field, which means “Queue Full” string
is there in the event.
Similarly , you can also verify for AA=”NOT” and you
will get only those lines which do not contain
“Queue Full” String in it.
Now you can effectively utilize “searchmatch”
function with “eval” command to meet your requirement !!
Hope you are now comfortable in
Usage of Splunk EVAL Function : SEARCHMATCH
HAPPY SPLUNKING !!
What’s your Reaction?
+1
+1
1
+1
1
+1
+1
+1
1
+1
wonderful information, I had come to know about your blog from my friend nandu , hyderabad,i have read atleast 7 posts of yours by now, and let me tell you, your website gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanks a ton once again,
Regards