topic Re: Help with eval case match in Splunk Enterprise

How to achieve eval case match?

maxouhunterfc — Tue, 17 Jan 2023 20:21:27 GMT

event is json:

{message:AZK} x 10

{message:BCK} x 5

{message:C} x 3

What Im trying to get is a table to count message by values with a modified text

Message AZK - 10

Message BCK - 5

C - 3

I use this:

| eval extended_message= case(
match(_raw,"AZK"),"Message AZK",
match(_raw,"BCK"),"Message BCK",
1=1, message)
| stats count as nombre by extended_message
| sort nombre desc
| table extended_message, nombre

I can't not get the "C" in the list to be counted

the message from the JSON event is not interpreted (i don't know)

Thanks for your help

Re: Help with eval case match

kamlesh_vaghela — Tue, 17 Jan 2023 18:25:11 GMT

@maxouhunterfc

I think you have to extract message value from raw. Bcoz it looks _raw is not a valid json.

Can you please try this?

| rex field=_raw "message:(?<message>.*)}" | eval extended_message= case( match(_raw,"AZK"),"Message AZK", match(_raw,"BCK"),"Message BCK", 1=1, message) | stats count as nombre by extended_message | sort nombre desc | table extended_message, nombre

My Sample Search :

| makeresults | eval raw="{message:AZK} x 10|{message:BCK} x 5|{message:C} x 3", raw=split(raw,"|") | mvexpand raw | rename raw as _raw |rename comment as "upto this is sample data" | rex field=_raw "message:(?<message>.*)}" | eval extended_message= case( match(_raw,"AZK"),"Message AZK", match(_raw,"BCK"),"Message BCK", 1=1, message) | stats count as nombre by extended_message | sort nombre desc | table extended_message, nombre

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: Help with eval case match

maxouhunterfc — Tue, 17 Jan 2023 19:36:01 GMT

I needed to use indeed a rex