topic Re: Case with Tag's in Splunk Search

Case with Tag's

hartfoml — Thu, 05 Sep 2013 18:49:32 GMT

I am trying to use Case to rename taged events like this

tag=audit OR tag=cleared "" | eval Event=case( tag == audit, "Logging Stoped", tag == cleared, "Logs Cleared" )

The case statement is not working not finding any events and the Event field is not generated.

Re: Case with Tag's

Ayn — Thu, 05 Sep 2013 19:00:05 GMT

Without the quotes, you're asking eval to compare the value of the field tag to the value of the field audit and cleared, respectively. I'm guessing you'd want quotes around those?

Re: Case with Tag's

hartfoml — Thu, 05 Sep 2013 19:06:55 GMT

I tried with the added quotes and the case function throws a syntax error.

The example on Splunk docs is like this;
... | eval description=case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")

Re: Case with Tag's

Ayn — Thu, 05 Sep 2013 19:24:14 GMT

Yup. So what does it look like in your case? What error are you getting?

Re: Case with Tag's

hartfoml — Thu, 05 Sep 2013 20:18:28 GMT

I do not get any errors the search runs as expected and generates events as expected but the eval command does not generate the field named "Event" using the case function.

Re: Case with Tag's

Ayn — Thu, 05 Sep 2013 20:59:37 GMT

Yes, you're using it without quotes. That is wrong. You just said you got a syntax error with quotes. What was it?

Re: Case with Tag's

hartfoml — Thu, 05 Sep 2013 21:59:15 GMT

Oh Sorry i misunderstood the question.

WhenI do this

tag=audit OR tag=cleared "" | eval Event=case( "tag == audit", "Logging Stoped", "tag == cleared", "Logs Cleared" )

I get this error

Error in 'eval' command: The arguments to the 'case' function are invalid

Re: Case with Tag's

Ayn — Fri, 06 Sep 2013 06:59:51 GMT

The quotes are only supposed to be around the VALUE, not the field name as well. So tag == "audit". Otherwise you're just giving case a string and don't tell it what to actually do with it.

Re: Case with Tag's

hartfoml — Mon, 09 Sep 2013 14:29:54 GMT

Thanks Ayn

That make sense, about the quotes I mean. So I tried this;

tag=audit OR tag=cleared ""

This search generated events with;
tag::eventtype, value=audit
tag::eventtype, value=cleared

but when I do this;

tag=audit OR tag=cleared "" | stats count by tag

I get zero results. I guess I am confused about tag relationships.