https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254935#M76348 <P>Excellent idea!</P> Fri, 14 Oct 2016 16:59:59 GMT jwalzerpitt 2016-10-14T16:59:59Z https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254929#M76342 <P>I have three event types:</P> <P>eventtype="windows_login_failed"<BR /> eventtype="duo_login_failed"<BR /> eventtype="sremote_login_failed"</P> <P>I am trying to run a search in which I rename the event types to a common name:</P> <P>Windows = eventtype="windows_login_failed"<BR /> DUO = eventtype="duo_login_failed"<BR /> Sremote = eventtype="sremote_login_failed"</P> <P>I run the following search, but I keep getting an error message stating, 'Error in 'eval' command: The expression is malformed. Expected ).'</P> <P>eventtype="windows_login_failed" OR eventtype="duo_login_failed" OR eventtype="sremote_login_failed" [| inputlookup xxx_xxx ] OR [| inputlookup yyy_yyy] | eval Source = (eventtype == windows_login_failed, "Windows"), (eventtype == sremote_login_failed, "SRemote"), (eventtype == duo_login_failed, "DUO") | stats count by myuser,Source| sort -count</P> <P>Any help would be greatly appreciated</P> <P>Thx</P> Tue, 29 Sep 2020 11:25:55 GMT https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254929#M76342 jwalzerpitt 2020-09-29T11:25:55Z https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254930#M76343 <P>you'll need to make a case statement. try this</P> <PRE><CODE>...| eval Source = case(eventtype == "windows_login_failed", "Windows", eventtype == "sremote_login_failed", "SRemote", eventtype == "duo_login_failed", "DUO")| ... </CODE></PRE> Fri, 14 Oct 2016 16:11:00 GMT https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254930#M76343 cmerriman 2016-10-14T16:11:00Z https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254931#M76344 <P>Please check this one - <BR /> eval Source=case(eventtype==windows_login_failed, "Windows", eventtype==sremote_login_failed, "SRemote", eventtype==duo_login_failed, "DUO")</P> <PRE><CODE>eventtype="windows_login_failed" OR eventtype="duo_login_failed" OR eventtype="sremote_login_failed" [| inputlookup xxx_xxx ] OR [| inputlookup yyy_yyy] | eval Source=case(eventtype==windows_login_failed, "Windows", eventtype==sremote_login_failed, "SRemote", eventtype==duo_login_failed, "DUO") | stats count by myuser,Source| sort -count </CODE></PRE> Tue, 29 Sep 2020 11:23:14 GMT https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254931#M76344 inventsekar 2020-09-29T11:23:14Z https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254932#M76345 <P>Thx - that worked great. Appreciate the reply.</P> Fri, 14 Oct 2016 16:32:02 GMT https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254932#M76345 jwalzerpitt 2016-10-14T16:32:02Z https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254933#M76346 <P>Thx - that worked great. Appreciate the reply.</P> Fri, 14 Oct 2016 16:32:08 GMT https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254933#M76346 jwalzerpitt 2016-10-14T16:32:08Z https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254934#M76347 <P>Why you don't use a tag (e.g. Login_failed) assigned to th Three eventypes?<BR /> Bye.<BR /> Giuseppe </P> Fri, 14 Oct 2016 16:48:55 GMT https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254934#M76347 gcusello 2016-10-14T16:48:55Z https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254935#M76348 <P>Excellent idea!</P> Fri, 14 Oct 2016 16:59:59 GMT https://community.splunk.com/t5/Splunk-Search/Eval-with-multiple-values/m-p/254935#M76348 jwalzerpitt 2016-10-14T16:59:59Z