topic Re: How can i use a eval expression with a result other then previously defined? in Splunk Search

How can i use a eval expression with a result other then previously defined?

robertspeckmann — Tue, 31 Mar 2015 06:09:39 GMT

Hi,

Im currently building a dashboard and one of my search strings is the one below. I currently see the values GPS and NIAS but there is a third kind which is a irregular value. Is it possible to make the string ????? put the irregular value in a value displayed by "Other"

index=Adapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | chart count(eval(n="GPS")) AS "GPS", count(eval(n="NIA")) AS "NIAS" , ????????? AS "OVERIG" | transpose

Thank you

Re: How can i use a eval expression with a result other then previously defined?

baerts — Tue, 31 Mar 2015 07:31:37 GMT

Hi Robert, I don't know the range of the n variable, but the next line
index=Adapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n=“GPS”,”GPS”,n=“NIA”,”NIAS”,0=0,”OVERIG”)|chart count by code | transpose
will show 3 values in the graph, GPS, NIAS or OVERIG

Re: How can i use a eval expression with a result other then previously defined?

robertspeckmann — Tue, 31 Mar 2015 07:39:54 GMT

Thanks for the quick respons baerts but it won't compile yet

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '“GPS”,”GPS”,n=“NIA”,”NIAS”,0=0,”OVERIG”)'.

Re: How can i use a eval expression with a result other then previously defined?

baerts — Tue, 31 Mar 2015 07:47:25 GMT

Robert hi, I also got an error when I copied the expression, after I typed it by hand, it worked. I also removed the " and " from OVERIG, NIAS and GPS

Re: How can i use a eval expression with a result other then previously defined?

robertspeckmann — Tue, 31 Mar 2015 07:51:54 GMT

OK so the string would be:

The result now is:

column
code
count

Before
column row 1
GPS 72
NIAS 12

SO i'm still not getting the proper response 😞

Re: How can i use a eval expression with a result other then previously defined?

baerts — Tue, 31 Mar 2015 07:53:39 GMT

You need to put the quotes back 😞 I found out (actually i'm testing with index=_internal)

Re: How can i use a eval expression with a result other then previously defined?

robertspeckmann — Tue, 31 Mar 2015 07:58:54 GMT

We're getting there, just a little more. I don't see the value "OVERIG" but i know there are at least 3 results. Why isn't the string showing the 3rd row?

column row 1 row 2
code GPS NIAS
count 534 70

Re: How can i use a eval expression with a result other then previously defined?

baerts — Tue, 31 Mar 2015 09:05:50 GMT

what does ...eval code=.....|stats count by code show?

Re: How can i use a eval expression with a result other then previously defined?

robertspeckmann — Tue, 31 Mar 2015 09:41:54 GMT

index=tibco TerweeAdapter (GPS OR NIAS)| rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n="GPS","GPS",n="NIA","NIAS",0=0,"OVERIG") | chart count by code

code count
GPS 76
NIAS 12

index=tibco TerweeAdapter (GPS OR NIAS)| rex field=_raw "ConversationID=(? .*)" | eval n=substr(bericht,1,3) | eval code=case(n="GPS","GPS",n="NIA","NIAS",0=0,"OVERIG") | stats count by code

code count
GPS 76
NIAS 12

Same result... still the last variable is missing for some reason

ConversationID=(? .*) is weird btw because its missing the word "bericht" between "<" and ">" which is in my string of course

Re: How can i use a eval expression with a result other then previously defined?

robertspeckmann — Tue, 31 Mar 2015 09:59:33 GMT

I have the solution! Because of the criteria in the front of the string (GPS OR NIAS) it could never find something else as OVERIG... With that one deleted and the 0=0 solution i finally got it:

index=tibco TerweeAdapter | rex field=_raw "ConversationID=(?.*)" | eval n=substr(bericht,1,3) | eval code=case(n="GPS","GPS",n="NIA","NIAS",0=0,"OVERIG") | stats count by code

code count
GPS 76
NIAS 12
OVERIG 9

Thanks for the help!