topic Re: What's wrong with my eval case statement? in Splunk Search

What's wrong with my eval case statement?

ryhluc01 — Thu, 07 Mar 2019 06:46:25 GMT

What is wrong with this?

| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA" 
(sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR 
sourcetype="input7") AND index="foo2", "NA"
(sourcetype=”input8” OR sourcetype="input9" OR sourcetype="input10" OR sourcetype=”input11”) AND index=”foo3”, "NA", true(),"Count"))

Re: What's wrong with my eval case statement?

ryhluc01 — Thu, 07 Mar 2019 06:51:35 GMT

Error in 'eval' command: The expression is malformed. Expected ).

Re: What's wrong with my eval case statement?

sdchakraborty — Thu, 07 Mar 2019 07:00:11 GMT

The structure of case is

Case (condition,value if success, 1=1, value if none of the condition success)

Please try the below code,

|  makeresults 
|  eval sourcetype="input8", index="foo3"
|  eval Count=case(((sourcetype="input1" OR sourcetype="input2") AND index="foo1"), "true" ,
((sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR 
sourcetype="input7") AND index="foo2"), "true",
((sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3"), "true",1=1,"Count")

Re: What's wrong with my eval case statement?

niketn — Thu, 07 Mar 2019 08:00:55 GMT

@ryhluc01 you are missing couple of commas with first two case conditions. You also have an extra close bracket. Finally be cautious with quotes characters UTF-8 quotes characters are only accepted in SPL. Try the following:

| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA", 
    (sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2", "NA",
    (sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3", "NA",
    true(),"Count")

Re: What's wrong with my eval case statement?

woodcock — Thu, 07 Mar 2019 13:03:59 GMT

Like this:

index=foo 
| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA",
(sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2", "NA",
(sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3", "NA", 
true(), Count)

You were missing 2 commas, had an extra ) on the end and had microsoft/paired/handed double-quotes instead of the splunk ones. Cut and paste my answer above.

Re: What's wrong with my eval case statement?

FrankVl — Thu, 07 Mar 2019 13:08:43 GMT

That last ) is redundant 🙂

Re: What's wrong with my eval case statement?

FrankVl — Thu, 07 Mar 2019 13:11:30 GMT

true() can be used just as well and why are you replacing his "NA" by "true"? Also, no need to put () around each entire logical expression.

Re: What's wrong with my eval case statement?

woodcock — Thu, 07 Mar 2019 16:12:19 GMT

Thank you, yes.

Re: What's wrong with my eval case statement?

niketn — Thu, 07 Mar 2019 17:38:13 GMT

@ryhluc01 if your issue is resolved, do accept the answer to mark this question as answered.

Re: What's wrong with my eval case statement?

ryhluc01 — Thu, 07 Mar 2019 17:50:39 GMT

Hey Everyone,

So the corrections from @niketnilay & @woodcock were perfect.

Is there anyway to keep my original values for everything else that does not meet the case conditions? That is what I was trying to achieve with the count @ the end of the syntax.

Re: What's wrong with my eval case statement?

woodcock — Thu, 07 Mar 2019 18:00:51 GMT

Somebody mistook me (@woodcock) for @somesoni2! 😆

Re: What's wrong with my eval case statement?

woodcock — Thu, 07 Mar 2019 18:05:01 GMT

Now that we have fixed the syntax errors, I think this would be better being replaced with this instead:

 index=foo 
 | eval Count=if(((sourcetype="input1" OR sourcetype="input2") AND index="foo1")
     OR ((sourcetype="input3" OR sourcetype="input4" OR sourcetype="input5" OR sourcetype="input6" OR sourcetype="input7") AND index="foo2")
     OR ((sourcetype="input8" OR sourcetype="input9" OR sourcetype="input10" OR sourcetype="input11") AND index="foo3"), "NA", Count)

Re: What's wrong with my eval case statement?

woodcock — Thu, 07 Mar 2019 18:06:21 GMT

I edited my original answer. You also were using "Count" which is a string-literal instead of Count which is a field name. I assume that you meant the latter. Also, see my other answer.

Re: What's wrong with my eval case statement?

ryhluc01 — Thu, 07 Mar 2019 19:55:37 GMT

@woodcock Thank you and you're right! How did I do that 😄
Its fixed. I think I just comb through so many forum posts a day lol.

Re: What's wrong with my eval case statement?

ryhluc01 — Thu, 07 Mar 2019 19:58:50 GMT

I'll give this a shot...one moment.

Re: What's wrong with my eval case statement?

ryhluc01 — Thu, 07 Mar 2019 21:18:10 GMT

Thanks Everyone!