https://community.splunk.com/t5/Splunk-Search/search-case-gt-field-doesn-t-exist/m-p/39174#M8930 <P>hello,</P> <P>I have a question about a search with case. This is my search:</P> <PRE><CODE>source="Laura_acs" |eval Transac=case(ERRL="TIMEOUT_REACHED" OR ERRL="TIMEOUT_REACHED_RECORD","PA Pb fin de session 3D Secure", SD_STAT_PA="NO" AND (NOT ERRL="TIMEOUT_REACHED" OR NOT ERRL="TIMEOUT_REACHED_RECORD"),"PA Pb Autres",STAT_VE="N","VE No",STAT_VE="Y" AND SD_STAT_PA="Y","PA Yes",STAT_VE="Y" AND SD_STAT_PA="ATTEMPT","PA Attempt",STAT_VE="Y" AND SD_STAT_PA="N", "PA No",STAT_VE="Y","VE sans PA")|DEDUP ID_TRANS|chart count by Transac </CODE></PRE> <P>In this search I want for the last case (VE sans PA) that my log line doen't contain field SD_STAT_PA. How can do it? Because, for the moment, STAT_VE="Y" is the selection of all the others case.</P> <P>Thx by advance,</P> <P>Laura </P> Mon, 28 Sep 2020 12:17:41 GMT LauraBre 2020-09-28T12:17:41Z https://community.splunk.com/t5/Splunk-Search/search-case-gt-field-doesn-t-exist/m-p/39174#M8930 <P>hello,</P> <P>I have a question about a search with case. This is my search:</P> <PRE><CODE>source="Laura_acs" |eval Transac=case(ERRL="TIMEOUT_REACHED" OR ERRL="TIMEOUT_REACHED_RECORD","PA Pb fin de session 3D Secure", SD_STAT_PA="NO" AND (NOT ERRL="TIMEOUT_REACHED" OR NOT ERRL="TIMEOUT_REACHED_RECORD"),"PA Pb Autres",STAT_VE="N","VE No",STAT_VE="Y" AND SD_STAT_PA="Y","PA Yes",STAT_VE="Y" AND SD_STAT_PA="ATTEMPT","PA Attempt",STAT_VE="Y" AND SD_STAT_PA="N", "PA No",STAT_VE="Y","VE sans PA")|DEDUP ID_TRANS|chart count by Transac </CODE></PRE> <P>In this search I want for the last case (VE sans PA) that my log line doen't contain field SD_STAT_PA. How can do it? Because, for the moment, STAT_VE="Y" is the selection of all the others case.</P> <P>Thx by advance,</P> <P>Laura </P> Mon, 28 Sep 2020 12:17:41 GMT https://community.splunk.com/t5/Splunk-Search/search-case-gt-field-doesn-t-exist/m-p/39174#M8930 LauraBre 2020-09-28T12:17:41Z https://community.splunk.com/t5/Splunk-Search/search-case-gt-field-doesn-t-exist/m-p/39175#M8931 <P>Use <CODE>isnull</CODE>:</P> <PRE><CODE>isnull(SD_STAT_PA) </CODE></PRE> Mon, 20 Aug 2012 14:12:50 GMT https://community.splunk.com/t5/Splunk-Search/search-case-gt-field-doesn-t-exist/m-p/39175#M8931 Ayn 2012-08-20T14:12:50Z https://community.splunk.com/t5/Splunk-Search/search-case-gt-field-doesn-t-exist/m-p/39176#M8932 <P>Thx very much, it works.</P> Tue, 21 Aug 2012 11:47:26 GMT https://community.splunk.com/t5/Splunk-Search/search-case-gt-field-doesn-t-exist/m-p/39176#M8932 LauraBre 2012-08-21T11:47:26Z