Aug 13, 2010 · It appears that you're trying to generate SQL-like search syntax within the search language -- there probably is a simpler way to achieve what you want.

index=foo <<orderId>>. Return a list of unique hostnames. You can chain multiple eval expressions in one search using a comma to separate subsequent expressions. Sep 3, 2013 · Search for result with double quotes.

) Note: The IN operator must be in uppercase. To search for data between 2 and 4 hours ago, use earliest=-4h.

Nov 16, 2015 · In your case, this would be: index=myindex your search terms | regex host="^T\d{4}SWT. *". This manual discusses the Search & Reporting app and how to use the Splunk search processing language ( SPL ).

Sep 12, 2014 · I'm trying to write a search that does something like the following: [some search] | eval option=case(like(field,"%_Blah"), field, 1=1, "Other") So, I want to return anything that ends with "_Blah". For information about Boolean operators, such as AND and OR, see Boolean.

This manual discusses the Search & Reporting app and how to use the Splunk search processing language ( SPL ). For example, if you search for Location!="Calaveras Farms", events that do not have Calaveras Farms as the Location are. The fully proper way to do this is to use true() which is much more clear.