https://community.splunk.com/t5/Splunk-Search/What-is-the-limit-on-the-number-of-branches-in-a-single-CASE/m-p/240781#M71570 <P>Hello,</P> <P>I have defined api_names and calculating counts and sigma limits for alert based on uri stem.<BR /> Example uri stem: <CODE>/api/v1/customer/details/customernumber/12345</CODE><BR /> I can't use regex here (or I am not that skilled). I've created this:</P> <PRE><CODE>| eval cs_uri_stem=lower(cs_uri_stem) | rex field=cs_uri_stem "/api/v\d/(?&lt;api_name&gt;\w+[a-z-]\w+).*" </CODE></PRE> <P>However, it will parse out api name only till the first slash <CODE>/</CODE>, so I'll match <CODE>customer</CODE>. However, I do not match <CODE>customer/details/customernumber</CODE> as they follow between additional slashes.<BR /> Due to this limitation, I've created big case statement with 122 x 2 branches.</P> <PRE><CODE>| eval api_name = case( like(cs_uri_stem,"/api/v%/customers/%"),"customers", like(cs_uri_stem,"/api/v%/customers%"),"customers", like(cs_uri_stem,"/api/v%/customer-groups/%"),"customer-groups", like(cs_uri_stem,"/api/v%/customer-groups%"),"customer-groups", like(cs_uri_stem,"/api/v%/customer-bases/%"),"customer-bases", like(cs_uri_stem,"/api/v%/customer-bases%"),"customer-bases", like(cs_uri_stem,"/api/v%/customer/shippingaddresses/list/%"),"customer/shippingaddresses/list", like(cs_uri_stem,"/api/v%/customer/shippingaddresses/list%"),"customer/shippingaddresses/list", like(cs_uri_stem,"/api/v%/customer/search/%"),"customer/search", like(cs_uri_stem,"/api/v%/customer/search%"),"customer/search", like(cs_uri_stem,"/api/v%/customer/details/customernumber/%"),"customer/details/customernumber", like(cs_uri_stem,"/api/v%/customer/details/customernumber%"),"customer/details/customernumber", like(cs_uri_stem,"/api/v%/customer/%"),"customer", like(cs_uri_stem,"/api/v%/customer%"),"customer", 1=1,"OTHER") </CODE></PRE> <P>Now questions:</P> <P><EM>1. What is the SPLUNK limitation on the number of branches in a single CASE statement?<BR /> 2. What is impact of running such big case statement?<BR /> 3. I assume that SPLUNK case statement is working in same manner as in SQL, so I've organized patterns in descending order to match first <CODE>customer/details/customernumber</CODE> and <CODE>customer</CODE> only on the rest. Am I correct?<BR /> 4. Is there any opportunity to optimize this case statement?<BR /> 5. Is there any alternative? (already thinking about leveraging rex and do it in multiple levels like customer = api_name_L1, details = api_name_L2, customernumnber = api_name_L3</EM></P> <P>I'll appreciate any help/comments here.</P> <P>Thank you!<BR /> m.</P> Tue, 29 Sep 2020 07:56:22 GMT magorinahory 2020-09-29T07:56:22Z https://community.splunk.com/t5/Splunk-Search/What-is-the-limit-on-the-number-of-branches-in-a-single-CASE/m-p/240781#M71570 <P>Hello,</P> <P>I have defined api_names and calculating counts and sigma limits for alert based on uri stem.<BR /> Example uri stem: <CODE>/api/v1/customer/details/customernumber/12345</CODE><BR /> I can't use regex here (or I am not that skilled). I've created this:</P> <PRE><CODE>| eval cs_uri_stem=lower(cs_uri_stem) | rex field=cs_uri_stem "/api/v\d/(?&lt;api_name&gt;\w+[a-z-]\w+).*" </CODE></PRE> <P>However, it will parse out api name only till the first slash <CODE>/</CODE>, so I'll match <CODE>customer</CODE>. However, I do not match <CODE>customer/details/customernumber</CODE> as they follow between additional slashes.<BR /> Due to this limitation, I've created big case statement with 122 x 2 branches.</P> <PRE><CODE>| eval api_name = case( like(cs_uri_stem,"/api/v%/customers/%"),"customers", like(cs_uri_stem,"/api/v%/customers%"),"customers", like(cs_uri_stem,"/api/v%/customer-groups/%"),"customer-groups", like(cs_uri_stem,"/api/v%/customer-groups%"),"customer-groups", like(cs_uri_stem,"/api/v%/customer-bases/%"),"customer-bases", like(cs_uri_stem,"/api/v%/customer-bases%"),"customer-bases", like(cs_uri_stem,"/api/v%/customer/shippingaddresses/list/%"),"customer/shippingaddresses/list", like(cs_uri_stem,"/api/v%/customer/shippingaddresses/list%"),"customer/shippingaddresses/list", like(cs_uri_stem,"/api/v%/customer/search/%"),"customer/search", like(cs_uri_stem,"/api/v%/customer/search%"),"customer/search", like(cs_uri_stem,"/api/v%/customer/details/customernumber/%"),"customer/details/customernumber", like(cs_uri_stem,"/api/v%/customer/details/customernumber%"),"customer/details/customernumber", like(cs_uri_stem,"/api/v%/customer/%"),"customer", like(cs_uri_stem,"/api/v%/customer%"),"customer", 1=1,"OTHER") </CODE></PRE> <P>Now questions:</P> <P><EM>1. What is the SPLUNK limitation on the number of branches in a single CASE statement?<BR /> 2. What is impact of running such big case statement?<BR /> 3. I assume that SPLUNK case statement is working in same manner as in SQL, so I've organized patterns in descending order to match first <CODE>customer/details/customernumber</CODE> and <CODE>customer</CODE> only on the rest. Am I correct?<BR /> 4. Is there any opportunity to optimize this case statement?<BR /> 5. Is there any alternative? (already thinking about leveraging rex and do it in multiple levels like customer = api_name_L1, details = api_name_L2, customernumnber = api_name_L3</EM></P> <P>I'll appreciate any help/comments here.</P> <P>Thank you!<BR /> m.</P> Tue, 29 Sep 2020 07:56:22 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-limit-on-the-number-of-branches-in-a-single-CASE/m-p/240781#M71570 magorinahory 2020-09-29T07:56:22Z https://community.splunk.com/t5/Splunk-Search/What-is-the-limit-on-the-number-of-branches-in-a-single-CASE/m-p/240782#M71571 <P>Try this regex to extract path till last slash. This might eliminate the need to have a complex case statement. </P> <PRE><CODE>v\d+(?&lt;path&gt;[\w\/]+)\/ </CODE></PRE> Fri, 20 Nov 2015 01:11:16 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-limit-on-the-number-of-branches-in-a-single-CASE/m-p/240782#M71571 sundareshr 2015-11-20T01:11:16Z