topic Re: eval statement not giving expected result in Splunk Search

eval statement not giving expected result

hrishi_deshpand — Wed, 08 Sep 2021 17:05:58 GMT

index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval message = case(like(msg,"%Auto Approved%"), "Auto Approved", like(msg,"%Auto Rejected%"), "Auto Rejected",1=1,msg)|stats sum(Count) as Count by message | table message Count

I am having msg in event which contains Auto Approve or Auto Rejected in between a big sentence

I want to count auto approve and auto rejected events but it doesn't give the expected result.

Re: eval statement not giving expected result

s2_splunk — Wed, 08 Sep 2021 17:12:03 GMT

Can you provide an anonymized sample event?

Also, what IS the unexpected result you are getting?

Re: eval statement not giving expected result

hrishi_deshpand — Wed, 08 Sep 2021 17:18:27 GMT

index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval msg = case(like(msg,"%Auto Approved%"), "Auto Approved", like(msg,"%Auto Rejected%"), "Auto Rejected")|stats count by msg | table count, msg

able to get the grouping but visualization for pie chart says need numeric data

Re: eval statement not giving expected result

s2_splunk — Wed, 08 Sep 2021 17:30:59 GMT

You don't need the table command at the end for the visualization; remove it and it should work.

Re: eval statement not giving expected result

hrishi_deshpand — Wed, 08 Sep 2021 17:36:12 GMT

this worked perfectly just incase any one interested thanks