Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CASE statement not returning required output

schou87
Path Finder
‎06-07-2021 02:09 AM

Hi,

I need my output as below

Date     Greater than 12Hrs    Greater than 24Hrs    Greater than 48Hrs    Greater than 72Hrs

Below is my query

base_query | eval Final_TIME=CASE(TOTAL_TIME>12, "Greater than 12Hrs", TOTAL_TIME>24, "Greater than 24Hrs", TOTAL_TIME>48, "Greater than 48Hrs", TOTAL_TIME>72, "Greater than 72Hrs") | CHART COUNT OVER Date BY Final_TIME | sort - Date | eval Date=strftime(strptime(Date,"%Y-%m-%d"),"%m-%d-%Y") | head 7 | addtotals

My query is only returning 

Date     Greater than 12Hrs   NULL

 

Please help.

 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2021 02:32 AM

Case is evaluated left to right so you could try reordering the comparisons

base_query | eval Final_TIME=CASE(TOTAL_TIME>72, "Greater than 72Hrs", TOTAL_TIME>48, "Greater than 48Hrs", TOTAL_TIME>24, "Greater than 24Hrs", TOTAL_TIME>12, "Greater than 12Hrs") | CHART COUNT OVER Date BY Final_TIME | sort - Date | eval Date=strftime(strptime(Date,"%Y-%m-%d"),"%m-%d-%Y") | head 7 | addtotals
0 Karma
Reply

schou87
Path Finder
‎06-07-2021 10:51 PM

Hi @ITWhisperer 

I am still getting the NULL field and its giving me wrong data. I don't see the "Greater than 72Hrs" field.

Date  Greater than 12Hrs  Greater than 24Hrs  Greater than 48Hrs  NULL  Total

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2021 11:29 PM

The NULL is there because you didn't include a value for TOTAL_TIME <= 12, or else in the case function.

base_query | eval Final_TIME=CASE(TOTAL_TIME>72, "Greater than 72Hrs", TOTAL_TIME>48, "Greater than 48Hrs", TOTAL_TIME>24, "Greater than 24Hrs", TOTAL_TIME>12, "Greater than 12Hrs", 1==1, "Less than 12Hrs") | CHART COUNT OVER Date BY Final_TIME | sort - Date | eval Date=strftime(strptime(Date,"%Y-%m-%d"),"%m-%d-%Y") | head 7 | addtotals

Apart from that, the counts will be based on the value of TOTAL_TIME. If the counts are wrong, check that TOTAL_TIME is as you expect it to be. Try running the search on a smaller data set so you can check it.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-07-2021 11:17 PM

@schou87 

Can you please try this?

base_query TOTAL_TIME=*

And rest of the search provided by @ITWhisperer .

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...