https://community.splunk.com/t5/Splunk-Search/how-to-get-the-field-names-based-on-the-case-statement/m-p/161754#M45710 <P>I have to point out that there are some other problems with your search. I have shown it below so that I can refer to it line-by-line</P> <PRE><CODE>sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | stats count AS tnow | eval tnow = now() | convert ctime(tnow) | eval n= substr(tnow,15,15) | eval m= substr(n,0,2) | eval switcherValue=case(m=55,voderrorcode,m=56,status) | stats count by switcherValue </CODE></PRE> <P>In line 2, the <CODE>stats</CODE> command is unnecessary, because you overwrite the value of <CODE>tnow</CODE> in line 3 with the time that this search began. Did you really mean to use <CODE>now()</CODE>? I would have expected to use <CODE>_time</CODE>, but then I don't understand the condition you are testing. Finally, you seem to be manipulating the time to pick off certain characters in lines 3-5, but this seems like a hard way to do it.</P> <P>Why not do this?</P> <PRE><CODE>sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | eval m = strftime(now(),"%M") | eval switcherValue=case(m==55,voderrorcode, m==56,status, 1==1,null()) | stats count by switcherValue </CODE></PRE> <P>I was too lazy to figure out what all the <CODE>substr</CODE> was about, so i just set <CODE>m</CODE> to the minutes portion of the time. If you wanted some other part of the time, look here for the codes: <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Commontimeformatvariables">Common Time Format Variables</A><BR /><BR /> Also, note that I added a third option to the <CODE>case</CODE> function - what if <CODE>m</CODE> is something other than 55 or 56? In that case, I set <CODE>switcherValue</CODE> to null, but you could set it to something else.</P> Tue, 03 Dec 2013 07:45:56 GMT lguinn2 2013-12-03T07:45:56Z https://community.splunk.com/t5/Splunk-Search/how-to-get-the-field-names-based-on-the-case-statement/m-p/161751#M45707 <P>This is my query</P> <P>sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | stats count AS tnow | eval tnow = now() | <BR /> convert ctime(tnow) | eval n=substr(tnow,15,15) |eval m=substr(n,0,2)| eval switcherValue=case(m=55,<STRONG>voderrorcode</STRONG>,m=56,<STRONG>status</STRONG>) | stats count by switcherValue</P> <P>I have to get the field name based on the m value in the case.Even though Iam not giving the quotes case statement is trating as string,because of this iam not getting switchervalue as filedname.</P> <P>Please advise me how to get the fieldname from case statement instead a string.</P> Mon, 02 Dec 2013 10:22:43 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-the-field-names-based-on-the-case-statement/m-p/161751#M45707 lahariveerlapat 2013-12-02T10:22:43Z https://community.splunk.com/t5/Splunk-Search/how-to-get-the-field-names-based-on-the-case-statement/m-p/161752#M45708 <P>in the above search i kept m values in quotes | eval switcherValue=case(m="55",voderrorcode,m="56",status) | stats count by switcherValue</P> Mon, 02 Dec 2013 10:24:10 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-the-field-names-based-on-the-case-statement/m-p/161752#M45708 lahariveerlapat 2013-12-02T10:24:10Z https://community.splunk.com/t5/Splunk-Search/how-to-get-the-field-names-based-on-the-case-statement/m-p/161753#M45709 <P>Try following</P> <PRE><CODE>sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | stats count AS tnow | eval tnow = now() | convert ctime(tnow) | eval n=substr(tnow,15,15) |eval m=substr(n,0,2)| eval switcherValue=case(m=55,voderrorcode,m=56,status) | eval sno=1| chart count over sno by switcherValue | fields - sno </CODE></PRE> Mon, 02 Dec 2013 15:03:17 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-the-field-names-based-on-the-case-statement/m-p/161753#M45709 somesoni2 2013-12-02T15:03:17Z https://community.splunk.com/t5/Splunk-Search/how-to-get-the-field-names-based-on-the-case-statement/m-p/161754#M45710 <P>I have to point out that there are some other problems with your search. I have shown it below so that I can refer to it line-by-line</P> <PRE><CODE>sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | stats count AS tnow | eval tnow = now() | convert ctime(tnow) | eval n= substr(tnow,15,15) | eval m= substr(n,0,2) | eval switcherValue=case(m=55,voderrorcode,m=56,status) | stats count by switcherValue </CODE></PRE> <P>In line 2, the <CODE>stats</CODE> command is unnecessary, because you overwrite the value of <CODE>tnow</CODE> in line 3 with the time that this search began. Did you really mean to use <CODE>now()</CODE>? I would have expected to use <CODE>_time</CODE>, but then I don't understand the condition you are testing. Finally, you seem to be manipulating the time to pick off certain characters in lines 3-5, but this seems like a hard way to do it.</P> <P>Why not do this?</P> <PRE><CODE>sourcetype="pivotsource" OR sourcetype="vodplayerrors_animation" | eval m = strftime(now(),"%M") | eval switcherValue=case(m==55,voderrorcode, m==56,status, 1==1,null()) | stats count by switcherValue </CODE></PRE> <P>I was too lazy to figure out what all the <CODE>substr</CODE> was about, so i just set <CODE>m</CODE> to the minutes portion of the time. If you wanted some other part of the time, look here for the codes: <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Commontimeformatvariables">Common Time Format Variables</A><BR /><BR /> Also, note that I added a third option to the <CODE>case</CODE> function - what if <CODE>m</CODE> is something other than 55 or 56? In that case, I set <CODE>switcherValue</CODE> to null, but you could set it to something else.</P> Tue, 03 Dec 2013 07:45:56 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-the-field-names-based-on-the-case-statement/m-p/161754#M45710 lguinn2 2013-12-03T07:45:56Z