First, like is a function – so it needs to be used as one
This should work:
index=log_ad
| eval tag=case(like(Hostname,"%SRV%"), "server", like(Hostname,"%DC%"), "controller", 1=1, "not matched")
| top tag, Hostname
from User warren – Stack Overflow https://stackoverflow.com/questions/76404006/case-like-does-not-work-in-splunk-no-string-is-matched/76406646#76406646
via IFTTT