topic Re: Can AND or OR be used in case statements in eval expressions? in Splunk Search

Can AND or OR be used in case statements in eval expressions?

joegrossman — Tue, 08 May 2012 20:51:02 GMT

Right now I have a search that contains c(eval(status<=400)) AS SUCCESS c(eval(status>400)) AS FAILURE.
This works, producing a chart of failures and sucesses. But now I want to change it so it has a WARNING category. This would include only status=404. But to do this I would have to change the FAILURE category to something like, status>400 AND status !=404. But the case statement does not seem to allow this.
Can anyone help me with this?

Re: Can AND or OR be used in case statements in eval expressions?

Ayn — Tue, 08 May 2012 21:06:30 GMT

Which case statement?

The eval statement supports this. All you have to do is something like this:

... | stats c(eval(status>400 AND status!=404)) AS FAILURE

Re: Can AND or OR be used in case statements in eval expressions?

dwaddle — Wed, 09 May 2012 01:49:25 GMT

Another approach might be to use a lookup table that has all the various HTTP response codes and the resulting status you wish them to have. You'd have to enumerate them and specify a value for each, but it is workable.

Re: Can AND or OR be used in case statements in eval expressions?

joegrossman — Wed, 09 May 2012 15:30:29 GMT

Ayn,
This does not work at least with timechart

Re: Can AND or OR be used in case statements in eval expressions?

kristian_kolb — Wed, 09 May 2012 16:09:25 GMT

Or you can do it through rangemap...

... |  rangemap field=status SUCCESS=0-399 WARNING=404-404 default=FAILURE

Then you have the information in the newly created field 'range'.

Hope this helps,

Kristian

Re: Can AND or OR be used in case statements in eval expressions?

Ayn — Wed, 09 May 2012 17:39:10 GMT

But it does! I just tried it myself.

Re: Can AND or OR be used in case statements in eval expressions?

dvl077 — Tue, 05 Feb 2013 16:07:28 GMT

The question was not answered (which seems to be the normal):

So, is:

eval var1 = case(A==0 AND B==1, "ZeroOne", A==1 AND B==0, "OneZero", 1==1, "Neither")

Supposed to be a valid construct?

In my case i can't get it to work. It's either the default branch (1==1) or NULL.

Any hints?

Dirk

Re: Can AND or OR be used in case statements in eval expressions?

kristian_kolb — Tue, 05 Feb 2013 21:39:56 GMT

I can get it to work with the following search

sourcetype=access_combined status=404 OR status=200 
| dedup 3 status 
| eval tt=if(time_taken<500, "1", "0") 
| eval var1 = case(status==200 AND tt=1, "A", status==404 AND tt==0, "B", 1>0, "C") 
| table status tt var1

For sake of clarity/completeness, I've included the complete search I used. The first three lines are just for getting event data (based off access_combined) to work on, so they don't have any real purpose besides that.

The results table looks like;

status  tt  var1
404     1   C
200     1   A
404     0   B
200     0   C

Hope this helps,

Kristian

Re: Can AND or OR be used in case statements in eval expressions?

dvl077 — Wed, 06 Feb 2013 16:03:19 GMT

I confirm, the boolean expression in case() works. My problem was the following:

To gather one of the needed values to decide on i did the following:

| eval no-value-supplied = if(isnull(mkfind(msisdn, "no-value-supplied")), 1, 0)

Note that the introduced variable and the constant string in the mkfind are identical.

Interesting is:

if you output the variable, e.g. via "table no-value-supplied" the value binding is correct (1 or 0 in this case).

Using no-value-supplied in a boolean statement inside of case

| eval new_var = case(no-value-supplied == 1 AND ....)

never yields true.

Is this a bug, or did i miss something in the documentation?

Renaming the variable fixed the issue.

Re: Can AND or OR be used in case statements in eval expressions?

dwaddle — Wed, 06 Feb 2013 16:22:15 GMT

While I can totally appreciate frustration, please remember that most splunk-base participants do not work for Splunk and are answering people's questions on a completely volunteer basis. I don't think your "which seems to be normal" comment is fair to those who do spend a lot of time trying to offer free help on here. Splunk has paid support options available to you if the community is not able to help you solve your problems.

Re: Can AND or OR be used in case statements in eval expressions?

sowings — Wed, 06 Feb 2013 16:29:16 GMT

My experience is that dashes can sometimes be confused for subtract. As a point of habit, I separate words in my field names with underscore.

Re: Can AND or OR be used in case statements in eval expressions?

dvl077 — Wed, 06 Feb 2013 16:33:28 GMT

It was just a observation, no critique of the participants was implied.

Re: Can AND or OR be used in case statements in eval expressions?

landen99 — Tue, 05 Jan 2016 13:53:52 GMT

like truth, observations are not always productive or good. also, paid-support can be quite slow and unhelpful as well, in far too many cases.