i have an expression which i am trying to use for a calculated field, and it is within a data model for web requests.
the expression is based on HTTP codes with conditions
(if(status='200', "OKAY"),
(if(status>='400', "CLIENT ERROR"),
(if(status>='500', "SERVER ERROR"),
(if(status>='600', "OTHER"))))
does not seem to work..
@danesh_shah, please try the following run anywhere example. It builds the HTTP Description based on http_status_code provided on Wikipedia: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes
| makeresults
| eval http_status_code="101,204,200,302,404,502,600"
| makemv http_status_code delim=","
| mvexpand http_status_code
| eval http_status_description=case(match(http_status_code,"^1\d{2}$"),"Informational",
match(http_status_code,"^2\d{2}$"),"Success",
match(http_status_code,"^3\d{2}$"),"Redirection",
match(http_status_code,"^4\d{2}$"),"Client Error",
match(http_status_code,"^5\d{2}$"),"Server Error",
true(),"Unknown")
| table http_status_code http_status_description
also tried
(case(status>=200,"okay",
status>=400,"client error",
status>=500,"server error",
status>600,"other"))
just a question, why is there () covering the whole statement? Additionally, what you want to check would be whether those numbers are actually numerical values or not.
i imagined the whole statement would require to be enclosed in brackets, however i have tried without and it still did not resolve.
those numbers are numerical as the first line where it says case(status=200, "OKAY"
the preview tab reports shows this conversion but the remaining 3 conditions do not seem to resolve the search report for all field values only state to be "OKAY" even if the status code is 400...
thats only using case, correct? The problem is how case sees it, as soon as it hits first match it stops evaluating. so your status>=200 always correct thus always shows okay and nothing else.
Thats correct using case only the first line is resolving.
when tried to use IF the expression kept failing completely although making the correct adjustments for the IF statement.
which was
if(status=200, "OKAY",
status>=400, "CLIENT ERROR",
status>=500, "SERVER ERROR",
status>=600, "OTHER")
Try this
case(status>=600,"other",
status>=500,"server error",
status>=400,"client error",
status>=200,"okay")
never using IF, but again, make sure you use boolean expressions (==, >=,<=) and not assignment (=). Also make sure there is last condition in an IF if nothing matches. Not sure if Splunk enforces it.