topic How do I create an eval expression for a data model? in Knowledge Management

How do I create an eval expression for a data model?

danesh_shah — Wed, 24 Oct 2018 14:13:17 GMT

i have an expression which i am trying to use for a calculated field, and it is within a data model for web requests.

the expression is based on HTTP codes with conditions

 (if(status='200', "OKAY"), 
 (if(status>='400', "CLIENT ERROR"), 
 (if(status>='500', "SERVER ERROR"), 
 (if(status>='600', "OTHER"))))

does not seem to work..

Re: How do I create an eval expression for a data model?

danesh_shah — Wed, 24 Oct 2018 14:15:23 GMT

also tried
(case(status>=200,"okay",
status>=400,"client error",
status>=500,"server error",
status>600,"other"))

Re: How do I create an eval expression for a data model?

MikaJustasACN — Wed, 24 Oct 2018 14:32:25 GMT

just a question, why is there () covering the whole statement? Additionally, what you want to check would be whether those numbers are actually numerical values or not.

Re: How do I create an eval expression for a data model?

danesh_shah — Wed, 24 Oct 2018 14:38:39 GMT

i imagined the whole statement would require to be enclosed in brackets, however i have tried without and it still did not resolve.

those numbers are numerical as the first line where it says case(status=200, "OKAY"
the preview tab reports shows this conversion but the remaining 3 conditions do not seem to resolve the search report for all field values only state to be "OKAY" even if the status code is 400...

Re: How do I create an eval expression for a data model?

MikaJustasACN — Wed, 24 Oct 2018 14:44:56 GMT

thats only using case, correct? The problem is how case sees it, as soon as it hits first match it stops evaluating. so your status>=200 always correct thus always shows okay and nothing else.

Re: How do I create an eval expression for a data model?

danesh_shah — Wed, 24 Oct 2018 14:52:15 GMT

Thats correct using case only the first line is resolving.

when tried to use IF the expression kept failing completely although making the correct adjustments for the IF statement.

which was

if(status=200, "OKAY",
status>=400, "CLIENT ERROR",
status>=500, "SERVER ERROR",
status>=600, "OTHER")

Re: How do I create an eval expression for a data model?

MikaJustasACN — Wed, 24 Oct 2018 14:56:51 GMT

Try this

case(status>=600,"other",
status>=500,"server error",
status>=400,"client error",
status>=200,"okay")

never using IF, but again, make sure you use boolean expressions (==, >=,<=) and not assignment (=). Also make sure there is last condition in an IF if nothing matches. Not sure if Splunk enforces it.

Re: How do I create an eval expression for a data model?

niketn — Tue, 29 Sep 2020 21:45:07 GMT

@danesh_shah, please try the following run anywhere example. It builds the HTTP Description based on http_status_code provided on Wikipedia: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

| makeresults
| eval http_status_code="101,204,200,302,404,502,600"
| makemv http_status_code delim=","
| mvexpand http_status_code
| eval http_status_description=case(match(http_status_code,"^1\d{2}$"),"Informational",
    match(http_status_code,"^2\d{2}$"),"Success",
    match(http_status_code,"^3\d{2}$"),"Redirection",
    match(http_status_code,"^4\d{2}$"),"Client Error",
    match(http_status_code,"^5\d{2}$"),"Server Error",
    true(),"Unknown")
| table http_status_code http_status_description