https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695543#M56996 <P>That's how case works - it returns the value for the first matching condition. If you want to evaluate all conditions, you have to do three separate evals and assign values to three separate fields.</P> Wed, 07 Aug 2024 12:34:03 GMT PickleRick 2024-08-07T12:34:03Z https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695527#M56986 <P>Hi,&nbsp;<BR />I have doing a list of different searches and want the count of each searches.&nbsp;<BR />So, I was using the searchmatch command but when using it I get only the first result that is successfully searches and it ignore the rest</P><P>For example:</P><P>index="abc"&nbsp;<BR />| eval JobName= case(<BR />searchmatch("error 1234", Error1),<BR />searchmatch("error 567", Error2),<BR />searchmatch("error 89", Error3)<BR />)<BR />| stats count by&nbsp;JobName</P><P>Output says&nbsp;<BR />Error1 - 234 (234 is the count of error)</P><P>though error 2 and error 3 are there, It is not listing in the results.&nbsp;<BR />Please could you suggest on how to get this sorted</P><P>&nbsp;</P> Wed, 07 Aug 2024 10:12:28 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695527#M56986 suvi6789 2024-08-07T10:12:28Z https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695529#M56987 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/259662">@suvi6789</a>&nbsp;,</P><P>parenthesis are wrong and if Error1,2 and3 are strings, use quotes:</P><LI-CODE lang="markup">index="abc" | eval JobName= case( searchmatch("error 1234"), "Error1", searchmatch("error 567"), "Error2", searchmatch("error 89"), "Error3" ) | stats count by JobName</LI-CODE> Wed, 07 Aug 2024 10:40:10 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695529#M56987 gcusello 2024-08-07T10:40:10Z https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695531#M56988 <P>Thanks for the response<BR />My Bad, the parenthesis are wrong. I have ran the query with the right paranthesis. It was a typo.</P><P>index="abc"&nbsp;<BR />| eval JobName= case(<BR />searchmatch("error 1234"), "Error1",<BR />searchmatch("error 567"), "Error2",<BR />searchmatch("error 89"), "Error3"<BR />)<BR />| stats count by&nbsp;JobName</P><P>Output says&nbsp;<BR />Error1 - 234 (234 is the count of error)</P><P>though error 2 and error 3 are there, It is not listing in the results.&nbsp;</P> Wed, 07 Aug 2024 10:43:52 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695531#M56988 suvi6789 2024-08-07T10:43:52Z https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695532#M56989 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/259662">@suvi6789</a>&nbsp;,</P><P>the search is correct, are you sure about the strings to search for Error 2 and 3?</P><P>Only for debugging, please change the order of searchmatch in the eval.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 07 Aug 2024 10:46:56 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695532#M56989 gcusello 2024-08-07T10:46:56Z https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695533#M56990 <P>If I comment&nbsp;<BR /><SPAN>index="abc"&nbsp;</SPAN><BR /><SPAN>| eval JobName= case(</SPAN><BR /><SPAN>```searchmatch("error 1234"), "Error1",```</SPAN><BR /><SPAN>searchmatch("error 567"), "Error2",</SPAN><BR /><SPAN>searchmatch("error 89"), "Error3"</SPAN><BR /><SPAN>)</SPAN><BR /><BR />Now, the result is&nbsp;<BR /><SPAN>Error2 - 125</SPAN></P> Wed, 07 Aug 2024 10:48:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695533#M56990 suvi6789 2024-08-07T10:48:27Z https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695534#M56991 <P>Thank you for your response<BR /><BR /><SPAN>If I comment the first search</SPAN><BR /><SPAN>index="abc"&nbsp;</SPAN><BR /><SPAN>| eval JobName= case(</SPAN><BR /><SPAN>```searchmatch("error 1234"), "Error1",```</SPAN><BR /><SPAN>searchmatch("error 567"), "Error2",</SPAN><BR /><SPAN>searchmatch("error 89"), "Error3"</SPAN><BR /><SPAN>)</SPAN><BR /><BR /><SPAN>Now, the result is&nbsp;</SPAN><BR /><SPAN>Error2 - 125</SPAN></P> Wed, 07 Aug 2024 10:52:12 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695534#M56991 suvi6789 2024-08-07T10:52:12Z https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695535#M56992 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/259662">@suvi6789</a>&nbsp;,</P><P>Only for test, please try this:</P><LI-CODE lang="markup">index="abc" | stats count(eval(searchmatch("error 1234"))) AS "Error1" count(eval(searchmatch("error 567"))) AS "Error12" count(eval(searchmatch("error 89"))) AS "Error3"</LI-CODE><P>the issue is probably on the data, you must analyze them</P><P>Ciao.</P><P>Giuseppe</P> Wed, 07 Aug 2024 10:52:53 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695535#M56992 gcusello 2024-08-07T10:52:53Z https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695543#M56996 <P>That's how case works - it returns the value for the first matching condition. If you want to evaluate all conditions, you have to do three separate evals and assign values to three separate fields.</P> Wed, 07 Aug 2024 12:34:03 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Searchmatch/m-p/695543#M56996 PickleRick 2024-08-07T12:34:03Z