https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479912#M134510 <P>Here is my attempt to create a new field eval in datamodels (no results):<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8732i767DDEA602763C32/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Here is the same data, just not using the datamodel:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8733i21D3445F11F2059F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 23 Apr 2020 17:47:38 GMT wgawhh5hbnht 2020-04-23T17:47:38Z https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479912#M134510 <P>Here is my attempt to create a new field eval in datamodels (no results):<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8732i767DDEA602763C32/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Here is the same data, just not using the datamodel:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8733i21D3445F11F2059F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 23 Apr 2020 17:47:38 GMT https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479912#M134510 wgawhh5hbnht 2020-04-23T17:47:38Z https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479913#M134511 <P>If you change the datamodel field to <CODE>case(action=="Failed Log In", "Failure", action=="Log In", "Success", 1==1, action)</CODE> what do you get?</P> Thu, 23 Apr 2020 18:24:27 GMT https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479913#M134511 richgalloway 2020-04-23T18:24:27Z https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479914#M134512 <P>an error message:<BR /> Error in 'eval' command: The arguments to the 'case' function are invalid.</P> Thu, 23 Apr 2020 18:35:49 GMT https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479914#M134512 wgawhh5hbnht 2020-04-23T18:35:49Z https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479915#M134513 <P>oops. I corrected my answer.</P> Thu, 23 Apr 2020 18:45:12 GMT https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479915#M134513 richgalloway 2020-04-23T18:45:12Z https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479916#M134514 <P>while this did get me closer, in that it provided both the Success &amp; Failure, it unfortunately gave all the other actions too, which is exactly what I'm attempting to avoid.</P> <PRE><CODE>Values Count % Decrypt 143864 82.951 Encrypt 27243 15.708 VPN Routing 2082 1.200 Key Install 186 0.107 Drop 23 0.013 Reject 18 0.010 Success 12 0.007 Log Out 3 0.002 Allow 1 0.001 </CODE></PRE> <P>Any idea why putting essentially a true clause at the end makes the Success &amp; Failure case work? Any way to get this to work without obtaining all the other action results?</P> Thu, 23 Apr 2020 19:29:00 GMT https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479916#M134514 wgawhh5hbnht 2020-04-23T19:29:00Z https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479917#M134515 <P>The idea behind the default clause is to determine if the other expressions are working. Your results make me think they are not since everything appears to falling into the last category. A better way to verify this is with <CODE>case(action=="Failed Log In", "Failure", action=="Log In", "Success", 1==1, "unknown - " . action)</CODE>.</P> Thu, 23 Apr 2020 19:50:44 GMT https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479917#M134515 richgalloway 2020-04-23T19:50:44Z https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479918#M134516 <P>It did create the "Success" &amp; "Failure".</P> <P>If I run your new query, this is the results:<BR /> Values Count %<BR /> unknown - Decrypt 118137 79.418<BR /> unknown - Encrypt 28543 19.188<BR /> unknown - VPN Routing 1859 1.250<BR /> unknown - Key Install 80 0.054<BR /> unknown - Reject 74 0.050<BR /> unknown - Drop 31 0.021<BR /> Success 24 0.016<BR /> unknown - Log Out 6 0.004</P> <P>(I searched separately and there weren't any failed log ins during this time period)</P> Thu, 23 Apr 2020 20:51:48 GMT https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479918#M134516 wgawhh5hbnht 2020-04-23T20:51:48Z https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479919#M134517 <P>So it appears as though your original SPL should have worked. I can't explain why you get results with a default clause and not without it.</P> Fri, 24 Apr 2020 14:01:00 GMT https://community.splunk.com/t5/Splunk-Search/Eval-expression-field-not-working-in-data-model/m-p/479919#M134517 richgalloway 2020-04-24T14:01:00Z