topic Re: comparing two field not working with eval case in Splunk Search

comparing two field not working with eval case

chandra61446 — Tue, 29 Sep 2020 10:31:27 GMT

I have search below ..

|inputlookup biweekly_backup | join type=outer max=0 host [search index=tsm sourcetype="tsm-client-log" source="/server2splunk/server_sel" OR source="c:\\LogFiles\\sersel_sched.log" "Total server databases inspected" | rex field=_raw "^(?:[^:\n]*:){3}\s+(?P.+)"] | convert num(TDBs) | join type=outer max=0 host [search index=tsm sourcetype="tsm-client-log" source="/server2splunk/server_sel" OR source="c:\\LogFiles\\sersel_sched.log" "Total server databases backed up" | rex field=_raw "^(?P[^ ]+)(?:[^:\n]*:){3}\s+(?P.+)"] | convert num(DBBackedup) | join type=outer max=0 host [search index=tsm sourcetype="tsm-client-log" source="/server2splunk/server_sel" OR source="c:\\LogFiles\\sersel_sched.log" "Total server databases excluded" | rex field=_raw "^(?:[^:\n]*:){3}\s+(?P\s+\d+)"] | table host BDate TDBs DBBackedup DBexcluded
| dedup host
| eval DB_NotBackedup = (TDBs - DBBackedup)
| fillnull value=NoData 
| eval Backup_Status=case(DB_NotBackedup>DBexcluded, "BackupFailed - RunEffBackup", DBBackedup="NoData", "BackupMissed - RunFullBackup", 1=1, "Success")  | table Backup_Status BDate TDBs DBBackedup DBexcluded DB_NotBackedup

while comparing in |eval Backup_Status=case(DB_NotBackedup>DBexcluded,
it doesn't take field values to compare
but when i provide numeric values instead , it does,, e.g. |eval Backup_Status=case(DB_NotBackedup>4, ......

any idea what is missing?

Re: comparing two field not working with eval case

aholzel — Fri, 05 Aug 2016 09:41:27 GMT

then it seems like the "BDexcluded" field is not an number. you can test it with the eval function isnum(X)
see https://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions#Informational_functions

Re: comparing two field not working with eval case

javiergn — Fri, 05 Aug 2016 09:43:47 GMT

Hi,

Try rewriting your case with double = for comparison and use a space between the greater than symbol and the next variable name. Keep in mind this symbol can be part of the variable name (this is valid code | eval field>A = "random text" 😞

| eval Backup_Status = case(
    DB_NotBackedup > DBexcluded, "BackupFailed - RunEffBackup", 
    DBBackedup == "NoData", "BackupMissed - RunFullBackup", 
    1==1, "Success"
)

Re: comparing two field not working with eval case

hardikJsheth — Fri, 05 Aug 2016 09:49:55 GMT

Your query looks fine to me. What's happening when you run the result ? Did you check that you don't have blank or null value in DBexcluded?

Re: comparing two field not working with eval case

chandra61446 — Tue, 29 Sep 2020 10:31:31 GMT

still the same

output

Backup_Status BDate TDBs DBBackedup DBexcluded DB_NotBackedup
1 BackupFailed - RunEffBackup 07/30/2016 1581 1566 3 15
2 BackupFailed - RunEffBackup 07/24/2016 1278 1275 3 3
3 BackupFailed - RunEffBackup 07/31/2016 2165 2162 3 3
4 BackupFailed - RunEffBackup 07/23/2016 678 677 1 1
5 BackupFailed - RunEffBackup 07/30/2016 1918 1915 2 3
6 BackupFailed - RunEffBackup 07/23/2016 1272 1268 3 4
7 BackupFailed - RunEffBackup 07/23/2016 11009 11009 0 0
8 BackupFailed - RunEffBackup 07/31/2016 10020 10019 1 1
9 BackupMissed - RunFullBackup NoData NoData NoData NoData NoData

as per condition, no1 and no 6 should be success but it is not.. !!