topic Re: Help with CASE in Splunk Search

Help with CASE

efelder0 — Thu, 29 Dec 2011 19:32:50 GMT

How do I assign the value "Informational" to the field Severity when the AV Version contains NULL values byu using the Case:

Severity= Informational
AV Version = NULL

eval Severity =case (AV_Version = NULL, "Informational") --> this does not work

PLease advise.. thx

Re: Help with CASE

joshd — Thu, 29 Dec 2011 19:43:27 GMT

Are you looking for the word NULL in AV_Version or just blank values? If you want to use case then you're missing a couple things... this should work..

eval Severity=case(AV_Version == "NULL", "Informational", AV_Version == "", "Informational")

You can also look at using the isnull() and if() functions...

eval Severity=if(isnull(AV_Version),"Informational",AV_Version)

Re: Help with CASE

efelder0 — Thu, 29 Dec 2011 19:49:22 GMT

SOrry, I am looking for blank values.

So, eval Severity=case (AV_Version == "", "Informational") should work??

Re: Help with CASE

joshd — Thu, 29 Dec 2011 19:53:34 GMT

That or you can use the if and isnull combination mentioned ... or you can go as far as to use len() to check the string length, if it's 0 then you know its empty 🙂

Re: Help with CASE

efelder0 — Thu, 29 Dec 2011 20:24:39 GMT

Neither of the above mentioned seems to be working..

DO you have example of the len() command?

Re: Help with CASE

joshd — Mon, 28 Sep 2020 10:15:27 GMT

And you are sure the AV_Version field is being extracted and appears in the events even if it's NULL or blank? For len you would just do ... | eval Severity=if(len(AV_Version)==0,"Informational",AV_Version)

Re: Help with CASE

efelder0 — Thu, 29 Dec 2011 20:30:25 GMT

That field being extracted is blank...

Re: Help with CASE

joshd — Thu, 29 Dec 2011 20:36:22 GMT

Sorry I dont quite understand... are you confirming the field is being extracted even if it's blank or NULL? If you do just a regular search for null values it returns events? for example: * | where isnull(AV_Version)

Re: Help with CASE

efelder0 — Thu, 29 Dec 2011 20:40:35 GMT

Here is the actual search string:

    sourcetype="McAfee ePo - All" |
    sort DAT_Version__VirusScan_Enterprise_ |
    eval AV_Version=DAT_Version__VirusScan_Enterprise_ |
    eval Version_Diff=Current_DAT_Version- 
    DAT_Version__VirusScan_Enterprise_ |
    eval Severity =case(
    DAT_Version__VirusScan_Enterprise_ = 0, "Informational",        
    DAT_Version__VirusScan_Enterprise_ == "", "Informational",
    Version_Diff >= 0 AND Version_Diff <= 5, "Low",
    Version_Diff > 5 AND Version_Diff <= 10, "Medium",
    Version_Diff > 10, "High",
    DAT_Version__VirusScan_Enterprise_ = "N/A", "Informational") |
    table System_Name Last_Communication Current_DAT_Version AV_Version Severity Engine_Version__VirusScan_Enterprise_

Re: Help with CASE

joshd — Thu, 29 Dec 2011 20:43:22 GMT

Can you edit your post, highlight the search string you have above and click the code button on the menu bar so that it pastes properly and does not apply automatic formatting.

Re: Help with CASE

Drainy — Thu, 29 Dec 2011 20:48:12 GMT

hmm, best effort at making it more readable