topic Re: What am I doing wrong with this case function??? in Splunk Search

What am I doing wrong with this case function???

Pat — Wed, 27 Dec 2023 20:24:51 GMT

I have tried to use the following eval to pretty up the return of a field but the result is always test. I have tried single and double quotes around the host.domain field but it always just gives test. I keep on looking for a typo or something but I am at a loss

| eval dct_domain=case(host.domain=="prd", "Production", host.domain=="uat", "Pre-Production", host.domain=="dev", "Development", true(), "test" )

TEMPORARY EDIT - So while trying a thing from whats been suggested so far I found that when I click on host.domain in the left side and choose prd it gives me no results despite the fact it clearly lists it in results (which for that type of selection option it has to be in the results). So I brought the search down to just:

index=dct_foglight_shr "host.domain"=prd

and no results show. anyway im opening a splunk ticket

Re: What am I doing wrong with this case function???

dtburrows3 — Wed, 27 Dec 2023 18:44:41 GMT

Try single quotes around the fieldname in the case statement

Splunk can be finicky about fieldnames with certain characters such as ".", "{}"

Example:

| eval dct_domain=case('host.domain'=="prd", "Production", 'host.domain'=="uat", "Pre-Production", 'host.domain'=="dev", "Development", true(), "test" )

Re: What am I doing wrong with this case function???

jason_hotchkiss — Wed, 27 Dec 2023 19:00:43 GMT

Try:

| eval dct_domain=case(host.domain==prd, "Production", host.domain==uat, "Pre-Production", host.domain==dev, "Development", true(), "test" )

Re: What am I doing wrong with this case function???

Pat — Wed, 27 Dec 2023 20:16:02 GMT

unfortunately I tried single and double quotes on the fieldname and it does not work.

Re: What am I doing wrong with this case function???

dtburrows3 — Wed, 27 Dec 2023 20:30:24 GMT

Maybe there is a space on the edges of the string?

What do you get when you do this in your eval instead?

| eval dct_domain=case(match('host.domain', "prd"), "Production", match('host.domain', "uat"), "Pre-Production", match('host.domain', "dev"), "Development", true(), "test" )

Re: What am I doing wrong with this case function???

Pat — Wed, 27 Dec 2023 20:32:54 GMT

I updated the question maybe just as you where answering. I found the field was not showing results even when I did a simple search and through the gui chose the value for host.domain. something fishy is going on.

Re: What am I doing wrong with this case function???

dtburrows3 — Wed, 27 Dec 2023 20:41:09 GMT

My last response still holds to test if it in fact whitespace in the string.

As you can see by this screenshot I was able to replicate you issue with trailing whitespace.

But when updating the eval it fixes the output to intended behavior

At the very least this would rule out if whitespace in the string is the issue.

You could also try this on the search bar and see what returns

index=dct_foglight_shr "host.domain"="*prd*" | stats count by "host.domain" | eval dct_domain=case(match('host.domain', "prd"), "Production", match('host.domain', "uat"), "Pre-Production", match('host.domain', "dev"), "Development", true(), "test" )

Re: What am I doing wrong with this case function???

Pat — Wed, 27 Dec 2023 20:45:14 GMT

I think you may be missing the significance of it. You see its not responding to the field at all for searching. even when filtering for it using mouse clicks so there is no possibility of errant spaces at that point since splunk itself puts the text in based on mouse selection. There is something very strange going on. I have done filtering on other fields with mouseclicks jut in case and they react fine. Not sure what the issue is with this specific field but its enough of an issue with splunk directly that I just put in a ticket about it.

Re: What am I doing wrong with this case function???

dtburrows3 — Wed, 27 Dec 2023 20:52:12 GMT

Not downplaying the significance, just trying to assist with troubleshooting with similar issues I have seen in the past.

Good luck

Re: What am I doing wrong with this case function???

Pat — Wed, 27 Dec 2023 20:57:30 GMT

yeah sorry. im not accusing you of anything. Its just the problem is showing itself in a much more rigid way. index=dct_foglight_shr "host.domain"=prd is not working and "host.domain"=prd was added completely with mouseclicks so no possibility at all of whitespace being added as splunk itself is adding it in response to mouse clicks. So once I have fixed the issue with the field in general if case is still acting wonky I will attempt your fix advice.

Re: What am I doing wrong with this case function???

Pat — Wed, 27 Dec 2023 21:37:00 GMT

and oh wow. I owe you a big apology as yes, splunk itself is somehow not putting in whats there even when selected with the mouse. so its still an issue they are looking into and on my side I will be talking to a team about data cleanup but Im going to try your workaround and if it works I will mark it as the fix.

Re: What am I doing wrong with this case function???

Pat — Wed, 27 Dec 2023 22:14:42 GMT

The issue is with the data quality and there is some sort of errant spacing in it. I still have a ticket open in splunk as clicking the value of a field should properly put in such spacing but this works as a workaround for me for now. Im further going to speak with the team where the data is coming out of to make sure the data is going out properly (actually need to verify in raw before I go there). thanks.