topic Re: What's wrong with this case statement? in Splunk Search

What's wrong with this case statement?

mistydennis — Mon, 20 Jun 2022 22:06:34 GMT

When I add this case statement to my search, all results for Severity are "Other". What did I miss?

| eval Severity=case(score>=0.1 AND score<=3.9, "Low", score>=4.0 AND score<=6.9, "Medium", score>=7.0 AND score<=8.9, "High", score>=9.0 AND score<=10.0, "Critical", true(), "Other")

Re: What's wrong with this case statement?

gcusello — Tue, 21 Jun 2022 06:34:24 GMT

Hi @mistydennis ,

sometimes I found problems in dots management, so I hint to try this:

| eval Severity=case(score>0 AND score<4, "Low", score>=4 AND score<7, "Medium", score>=7 AND score<9, "High", score>=9 AND score<=10, "Critical", true(), "Other")

Ciao.

Giuseppe

Re: What's wrong with this case statement?

PickleRick — Tue, 21 Jun 2022 06:42:26 GMT

If your fields which contain "numbers" misbehave it's often the case of the fields being in fact string representations of numbers. Try eval-ing the field before your case to a number using

| eval score=tonumber(score)

Oh, and assuming all your scores are non-negative, you can limit your number of conditions since they are evaluated left to right until a match is found. So if the first condition (0.1 - 3.9) evaluates to false, there is no point of requiring the number to be at least 4.0 in the next step because if it was smaller, it would have matched the first condition.

Re: What's wrong with this case statement?

isoutamo — Tue, 21 Jun 2022 06:46:42 GMT

In verbose mode you can check the type of field from selected/interesting field columns. If before the field name is # => number and if it's a => character. This is the easiest way to see that.

r. Ismo

Re: What's wrong with this case statement?

marysan — Tue, 21 Jun 2022 10:51:37 GMT

but I used your query and it worked correctly:

its possible that your score filed is multivalue field like my query:

| makeresults
| eval temp="1 6.7 8 9 9.6 103 454 5 2.3 5.3 1.4"
| eval score=split(temp," ")
| fields - temp,_time
| mvexpand score
| eval Severity=case(score>=0.1 AND score<=3.9, "Low", score>=4.0 AND score<=6.9, "Medium", score>=7.0 AND score<=8.9, "High", score>=9.0 AND score<=10.0, "Critical", true(), "Other")

Re: What's wrong with this case statement?

mistydennis — Tue, 21 Jun 2022 13:34:25 GMT

Thank you for this - I did verify that the field was a number, but I plugged in your eval anyway. Still doesn't work, though I appreciate the tip about reading from left to right (I didn't know that).

Re: What's wrong with this case statement?

mistydennis — Tue, 21 Jun 2022 13:34:59 GMT

That is a good tip - yes, the field is a number.

Re: What's wrong with this case statement?

mistydennis — Tue, 21 Jun 2022 13:37:52 GMT

Yes, it does seem to work with your query but unfortunately it does not work in mine. I have confirmed the field is not multivalue.

Re: What's wrong with this case statement?

mistydennis — Tue, 21 Jun 2022 13:40:20 GMT

I tried this as well, no luck. All values are still "Other".

Re: What's wrong with this case statement?

mistydennis — Tue, 21 Jun 2022 13:54:41 GMT

Solved! Thank you to everyone that provided hints - it turns out that the field in question was coming from a lookup, and for some reason I could not successfully apply the case statement in my query. But I opened up the lookup query, added the case statement there, and it worked. I don't understand why this worked, but it did.

Re: What's wrong with this case statement?

isoutamo — Tue, 21 Jun 2022 14:02:35 GMT

One way to see what those fields contains is a create a new field like

... | eval contains=">" . field . "<" | ...

That way it's not needed to guess what that field contains.