topic Re: eval case statement in Splunk Search

eval case statement

surekhasplunk — Thu, 05 Jul 2018 10:45:38 GMT

Hi,

Am using case statement to sort the fields according to user requirement and not alphabetically.

eval sort_field=case(wd=="SUPPORT",1, wd=="APPLICATION",2, wd=="STORAGE",3)

Works well when i have values for all the 3 rows but when i don't have value for a row then that is not visible . How can i make that visible with 0 values against that row.

Thanks

Re: eval case statement

493669 — Thu, 05 Jul 2018 10:55:05 GMT

try this:

...|eval sort_field=case(wd=="SUPPORT",1, wd=="APPLICATION",2, wd=="STORAGE",3,1=1, 0)

add default condition and set it's value to zero.

Re: eval case statement

somesoni2 — Thu, 05 Jul 2018 15:01:14 GMT

Whats your full search? Splunk won't show a field in statistics if there is no raw event for it. There are workarounds to it but would need to see your current search to before suggesting anything.

Re: eval case statement

wcastillocruz — Mon, 08 Feb 2021 21:19:23 GMT

Can you help me, i have the same probleme with this search :

index=index_sqlprod-itrs_toc (severity=2 OR severity=0 OR severity="-1")

| eval ID=Env+"_"+Apps+"_"+Function+"_"+varname
| addinfo
| eval periode=info_max_time-info_min_time
| transaction ID startswith=(severity=2) maxevents=2
| eval start_time=mvindex(timestamp,0), end_time=mvindex(timestamp,1)
| stats sum(duration) AS duration_indispo by Function, periode
| eval Percent_Available = round((periode-duration_indispo)*100/periode,3)

| eval Env = case(
Function like "%OTMS%", "OTMS Alcatel",
Function like "%ASC Recorder%", "Enregistrement Téléphonie",
Function like "%ASC Core%", "ASC Core",
Function like "%OXE WORLDWIDE%", "OXE WORLDWIDE",
Function like "%Proxy%", "Téléphonie Alcatel Mobilité",
Function like "%Environnement Monitor%", "Environnement Monitor",
Function like "%Traps%", "Traps",
Function like "%System Management%", "System Management",
1==1, 100
)

| fillnull value=100.00
|table Env, Percent_Available

Works fine when I have values for all rows of each function, but when I don't have a value for any row then the (function) row is not visible. How can I make this visible with 100 values against this row

Re: eval case statement

JTS911 — Wed, 27 Mar 2024 11:10:30 GMT

Your case should end with ,1=1, 100) and not 1==1,100

Re: eval case statement

yuanliu — Sun, 08 Feb 2026 07:11:51 GMT

This was already suggested above in 2018. But an obvious alternative is not: add a line

| fillnull sort_field value=0

Additionally, it is better to use boolean function true() (which is equivalent to boolean constant in some other languages), instead of a boolean evaluation such as 1==1.