https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545404#M154475 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196109">@pavanbmishra</a>,</P><P>&nbsp;</P><P>Did you verify the local.meta of your apps folder? And also the after placing the props.conf in search head can you quickly restart and check if it is a single instance. For distributed search head cluster no restart required.</P><P>The only eval is not working all other fields are working fine?</P> Thu, 25 Mar 2021 14:05:47 GMT Vardhan 2021-03-25T14:05:47Z https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545390#M154469 <P>Hello SMEs....Seeking helping hand</P><P>I got stuck while putting EVAL-&lt;field-name&gt; in props.conf using case command and it is not at all working while the same is working in search bar in GUI. As suggestion would be highly appreciated</P><P>&nbsp;</P><P>EVAL-XYZ = case(src== "AAA", field1, src== "BBB", field2 , src== "CCC", field3)</P> Thu, 25 Mar 2021 13:31:24 GMT https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545390#M154469 pavanbmishra 2021-03-25T13:31:24Z https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545394#M154470 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196109">@pavanbmishra</a>,</P><P>The eval -xyz filed name have you used anywhere else in the same props. conf? And where exactly have you placed the props. conf?&nbsp;</P><P>&nbsp;</P> Thu, 25 Mar 2021 13:41:23 GMT https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545394#M154470 Vardhan 2021-03-25T13:41:23Z https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545402#M154474 <P>Thanks Vardhan for your quick help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>No i am not using that eval-xyz field anywhere in the props.conf, i put my config file under below folder</P><P>/etc/apps/&lt;app-name&gt;/local folder&nbsp;</P> Thu, 25 Mar 2021 13:55:07 GMT https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545402#M154474 pavanbmishra 2021-03-25T13:55:07Z https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545404#M154475 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196109">@pavanbmishra</a>,</P><P>&nbsp;</P><P>Did you verify the local.meta of your apps folder? And also the after placing the props.conf in search head can you quickly restart and check if it is a single instance. For distributed search head cluster no restart required.</P><P>The only eval is not working all other fields are working fine?</P> Thu, 25 Mar 2021 14:05:47 GMT https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545404#M154475 Vardhan 2021-03-25T14:05:47Z https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545408#M154478 <P>Yeah all filed working except that eval expression. What should i check under local.meta ?</P><P>BTW it is single instance and i restarted that also. Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 25 Mar 2021 14:15:42 GMT https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545408#M154478 pavanbmishra 2021-03-25T14:15:42Z https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545411#M154480 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196109">@pavanbmishra</a>&nbsp;,</P><P>Can you try with the below eval and see the result.</P><P><SPAN>EVAL-XYZ = case(src== "AAA", "field1", src== "BBB", "field2" , src== "CCC", "field3")</SPAN></P><P><SPAN>And also make sure you are able to see the mentioned src fields values in the case.</SPAN></P> Thu, 25 Mar 2021 14:23:22 GMT https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545411#M154480 Vardhan 2021-03-25T14:23:22Z https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545470#M154508 <P>I would suggest to add a default option at the end to see whether this eval just doesn't match any of your options (or your sourcetype?) and go from there. Generally, it looks correct. Case-sensitivity for field names is my only idea. Try this and see if you at least get your field with the default value:&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">EVAL-XYZ = case(src="AAA", field1, src="BBB", field2 , src="CCC", field3, 1=1, "HITTING DEFAULT IN EVAL")</LI-CODE><P>&nbsp;</P><P>&nbsp;If this doesn't help and you can, please post your exact props.conf file</P> Thu, 25 Mar 2021 19:17:39 GMT https://community.splunk.com/t5/Splunk-Search/CASE-command-in-Props-conf/m-p/545470#M154508 s2_splunk 2021-03-25T19:17:39Z