https://community.splunk.com/t5/Splunk-Search/Correct-syntax-of-eval-string-case/m-p/654021#M226008 <P>A small tip:</P><LI-CODE lang="markup">| makeresults | eval "Severity Level"=split("1,2,3,4", ",") | mvexpand "Severity Level" </LI-CODE><P>Can also be created like this:</P><LI-CODE lang="markup">| makeresults count=4 | streamstats count as "Severity Level"</LI-CODE> Fri, 11 Aug 2023 07:48:04 GMT jotne 2023-08-11T07:48:04Z https://community.splunk.com/t5/Splunk-Search/Correct-syntax-of-eval-string-case/m-p/654012#M226006 <P>I have a "Severity Level" field in both index A and index B.</P><P><BR />Their structure is like:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">==index A=== Severity Level 1 2 3 4 ===index B=== Severity Level critical high medium low</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;Now I want to combine the two indexes in a search and display the Severity Level using&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| timechart count by "Severity Level"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>where the combined "Severity Level" values only contain 1,2,3,4</P><P>So, I need an eval = case() to map them.</P><P>My syntax for for that is&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">eval "Severity Level" = case('Severity Level' == "critical", 1 ,'Severity Level' == "high", 2, 'Severity Level' == "medium", 3, 'Severity Level' == "low", 4, 'Severity Level' == 1, 1, 'Severity Level' == 2, 2, 'Severity Level' == 3, 3, 'Severity Level' == 4, 4, 1=1, null)</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;By this, the result gives incorrect result, i.e., only showing incorrect counts on 4. I think the problem is in the single and double quote, but I am not sure which is which. It is a bit urgent so I need help. Thanks.&nbsp;</P> Fri, 11 Aug 2023 05:14:05 GMT https://community.splunk.com/t5/Splunk-Search/Correct-syntax-of-eval-string-case/m-p/654012#M226006 itnewbie 2023-08-11T05:14:05Z https://community.splunk.com/t5/Splunk-Search/Correct-syntax-of-eval-string-case/m-p/654014#M226007 <P>There doesn't appear to be anything functionally wrong with the case. With eval, you MUST use single quotes to wrap field names on the RIGHT hand side of the eval, whereas double quotes are used on the LEFT hand side, i.e.</P><LI-CODE lang="markup">| eval "Severity Level" = case('Severity Level'...)</LI-CODE><P>As you have</P><P>This shows your eval is correct</P><LI-CODE lang="markup">| makeresults | eval "Severity Level"=split("1,2,3,4", ",") | mvexpand "Severity Level" | append [| makeresults | eval "Severity Level"=split("critical,high,medium,low", ",") | mvexpand "Severity Level" ] | fields - _time | eval "Severity Level" = case('Severity Level' == "critical", 1 ,'Severity Level' == "high", 2, 'Severity Level' == "medium", 3, 'Severity Level' == "low", 4, 'Severity Level' == 1, 1, 'Severity Level' == 2, 2, 'Severity Level' == 3, 3, 'Severity Level' == 4, 4, 1=1, null)</LI-CODE><P>but you could just do</P><LI-CODE lang="markup">| eval "Severity Level" = case('Severity Level' == "critical", 1, 'Severity Level' == "high", 2, 'Severity Level' == "medium", 3, 'Severity Level' == "low", 4, 1==1, 'Severity Level')</LI-CODE><P>as the final case statement is just saying that it will take the value of Severity Level - unless you may have some other value.</P><P>&nbsp;</P> Fri, 11 Aug 2023 05:57:50 GMT https://community.splunk.com/t5/Splunk-Search/Correct-syntax-of-eval-string-case/m-p/654014#M226007 bowesmana 2023-08-11T05:57:50Z https://community.splunk.com/t5/Splunk-Search/Correct-syntax-of-eval-string-case/m-p/654021#M226008 <P>A small tip:</P><LI-CODE lang="markup">| makeresults | eval "Severity Level"=split("1,2,3,4", ",") | mvexpand "Severity Level" </LI-CODE><P>Can also be created like this:</P><LI-CODE lang="markup">| makeresults count=4 | streamstats count as "Severity Level"</LI-CODE> Fri, 11 Aug 2023 07:48:04 GMT https://community.splunk.com/t5/Splunk-Search/Correct-syntax-of-eval-string-case/m-p/654021#M226008 jotne 2023-08-11T07:48:04Z