topic multiple Case conditions? in Splunk Search

multiple Case conditions?

karthi2809 — Thu, 21 Mar 2024 17:37:31 GMT

Hi,

I am using multiple case conditions but the condition is not matching. In the third line of the code used AND condition for message=*End of GL* AND tracepoint=*Exception* .If the condition match make to success.In my case its showing both SUCCESS and ERROR in the table.

| eval Status=case( like('Status' ,"%SUCCESS%") ,"SUCCESS", like('message' ,"%End of GL-import flow%") AND like('tracePoint',"%EXCEPTION%") ,"SUCCESS", like('tracePoint',"%EXCEPTION%") AND like('priority' ,"%ERROR%"),"ERROR", like('Status',"%ERROR%"),"ERROR", like('priority',"%WARN%"),"WARN", like('priority',"GLImport Job Already Running, Please wait for the job to complete%"),"WARN", like('message',"%End of GL Import process - No files found for import to ISG%"), "ERROR", 1==1, "")

Re: multiple Case conditions?

isoutamo — Thu, 21 Mar 2024 17:55:42 GMT

when your field names are not contained any special characters, it’s safer and easier to left ‘ away.

Basically those conditions seems to be ok.

Can you give some samples which are not working?

r. Ismo

Re: multiple Case conditions?

karthi2809 — Thu, 21 Mar 2024 18:04:29 GMT

The condition is not working for me
like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS",
If the message value=End of GL-import flow and tracepoint values=Exception then it should be SUCCESS.Screen shot attached below

index="mulesoft" applicationName="p-oracle-finance-ext" environment=DEV (*End of GL-import flow*) OR (tracePoint="EXCEPTION") OR (priority="WARN" AND message="GLImport Job Already Running, Please wait for the job to complete*") OR ( message="End of GL Import process - No files found for import to ISG") | rename content.File.fstatus as Status | eval Status=case( like('Status' ,"SUCCESS") ,"SUCCESS", like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS", like('tracePoint',"EXCEPTION") AND like('priority' ,"%ERROR%"),"ERROR", like('Status',"ERROR"),"ERROR", like('priority',"WARN"),"WARN", like('priority',"GLImport Job Already Running, Please wait for the job to complete%"),"WARN", like('message',"%End of GL Import process - No files found for import to ISG%"), "ERROR", 1==1, "") | stats values(content.File.fid) as "TransferBatch/OnDemand" values(content.File.fname) as "BatchName/FileName" values(content.File.fprocess_message) as ProcessMsg values(Status) as Status values(content.File.isg_file_batch_id) as OracleBatchID values(content.File.total_rec_count) as "Total Record Count" values(message) as message values(timestamp) as timestamp values(content.errorType) as errorType by correlationId | eval ProcessMsg= coalesce(ProcessMsg,errorType,message) | eventstats min(timestamp) AS Start_Time, max(timestamp) AS End_Time by correlationId | eval StartTime=round(strptime(Start_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval EndTime=round(strptime(End_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval ElapsedTimeInSecs=EndTime-StartTime | eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S") | table Status Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId | join correlationId type=left [ search index="mulesoft" applicationName="p-oracle-finance-ext" environment=DEV (message="API: START: /v1/revpro-to-oracle/onDemand*") OR (message="API: START: /v1/fin_Zuora_GL_Revpro_JournalImport") OR (message="API: START: /v1/revproGLImport/onDemand*") | eval JobType=case( like('message',"API: START: /v1/revproGLImport/onDemand%"),"OnDemand", like('message',"API: START: /v1/revpro-to-oracle/onDemand%"),"OnDemand", like('message',"API: START: /v1/fin_Zuora_GL_Revpro_JournalImport"),"Scheduled") | table JobType correlationId ] | table Status JobType Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId | fields - ElapsedTimeInSecs | where JobType!=" "

Re: multiple Case conditions?

isoutamo — Thu, 21 Mar 2024 18:26:00 GMT

Based on your SPL and screenshot it seems to be a MV field. Some yours stats have combined it from several correlationId or what ever you have after by on stats.

Re: multiple Case conditions?

karthi2809 — Thu, 21 Mar 2024 18:31:32 GMT

Stats combined the unique correlation ID.

Re: multiple Case conditions?

yuanliu — Fri, 22 Mar 2024 06:10:22 GMT

You need to show sample data that doesn't work with the case function fails to produce expected result, then the actual results. The stats just makes troubleshooting more difficult. But even if you want to include stats, you still need to show sample data.

Re: multiple Case conditions?

isoutamo — Fri, 22 Mar 2024 09:10:29 GMT

And at same time it convert that field (result of case) to multivalue field which contains both those values.
As @yuanliu said, you must provide sample data which produce that "error", if you want that we can help you.