https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309417#M92815 <P>@dorgra, I think the answer was including <STRONG>true()</STRONG> or <STRONG>1==1</STRONG> condition at the end of the case block, to handled everything else:</P> <PRE><CODE>true(),"EverythingElse" </CODE></PRE> <P>It is similar to default condition block when all the other conditions are not true.</P> Sat, 17 Jun 2017 05:01:40 GMT niketn 2017-06-17T05:01:40Z https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309411#M92809 <P>I have eval category=case(false(),'category',like('test',"test_11%"),"11tests",like('test',"test_22%"),"22tests",like('test',"test33%"),"33tests",true(),'test') | </P> <P>How would I say to rename everything else not included in case()?</P> <P>Thanks.</P> Tue, 29 Sep 2020 14:11:15 GMT https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309411#M92809 zkenaga 2020-09-29T14:11:15Z https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309412#M92810 <P>I'm confused - the "everything else" part of <CODE>case()</CODE> already is present in your example, the final pair: <CODE>true(), 'test'</CODE> yielding the value of the field <CODE>test</CODE> if all other tests are false.</P> <P>What do you mean by rename?</P> <P>PS: The first pair, <CODE>false(), 'category'</CODE>, is pointless - <CODE>false()</CODE> is never true.</P> Tue, 23 May 2017 22:49:04 GMT https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309412#M92810 martin_mueller 2017-05-23T22:49:04Z https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309413#M92811 <P>I apologize if I wasn't descriptive enough. I have 11tests and 22tests grouped together under a common name, what would be a way I could say, "for everything else, call it <STRONG>this</STRONG>"</P> Tue, 23 May 2017 22:52:30 GMT https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309413#M92811 zkenaga 2017-05-23T22:52:30Z https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309414#M92812 <P>I figured it out after reading what you said more carefully... Thank you again</P> Tue, 23 May 2017 23:00:51 GMT https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309414#M92812 zkenaga 2017-05-23T23:00:51Z https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309415#M92813 <P>Do post what you did as an answer, and mark it as accepted.</P> Tue, 23 May 2017 23:16:03 GMT https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309415#M92813 martin_mueller 2017-05-23T23:16:03Z https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309416#M92814 <P>I'm a noob to Splunk and very interested in this question. As a programmer, why not nest the Case statement inside an IF statement?</P> Sat, 17 Jun 2017 01:16:56 GMT https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309416#M92814 dorgra 2017-06-17T01:16:56Z https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309417#M92815 <P>@dorgra, I think the answer was including <STRONG>true()</STRONG> or <STRONG>1==1</STRONG> condition at the end of the case block, to handled everything else:</P> <PRE><CODE>true(),"EverythingElse" </CODE></PRE> <P>It is similar to default condition block when all the other conditions are not true.</P> Sat, 17 Jun 2017 05:01:40 GMT https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309417#M92815 niketn 2017-06-17T05:01:40Z https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309418#M92816 <P>To amplify what @niketnilay said, wrapping an <CODE>if</CODE> around a <CODE>case</CODE> statement, in pretty much any language, is redundant. The only place it makes sense is in a few ancient languages where the <CODE>switch/case/evaluate/whateveritwascalled</CODE> statement is limited to numeric values and the <CODE>if</CODE> is not -- or by extension, where the main <CODE>switch</CODE> is based on conditionally jumping instructions due to different values of a single test, and you want the <CODE>if</CODE> to represent a different test.</P> Sat, 17 Jun 2017 17:53:13 GMT https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309418#M92816 DalJeanis 2017-06-17T17:53:13Z https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309419#M92817 <P>Just to put the correct answer in writing:</P> <PRE><CODE>eval category=case(false(),'category',like('test',"test_11%"),"11tests",like('test',"test_22%"),"22tests",like('test',"test33%"),"33tests",1==1,'everything_else') </CODE></PRE> Fri, 01 Sep 2017 14:34:04 GMT https://community.splunk.com/t5/Splunk-Search/rename-everything-not-included-in-case/m-p/309419#M92817 mengler_splunk 2017-09-01T14:34:04Z