Re: Multiple case statement is not working?

karthi2809 · ‎03-28-2024

Hi Guys,

I am using multiple keywords to get count of errors from different message.So i am trying case statement to acheive it.

index="mulesoft" applicationName="api" environment="*" (message="Concur Ondemand Started") OR (message="API: START: /v1/fin_Concur") OR (message="*(ERROR): concur  import failed for file*") OR (tracePoint="EXCEPTION") 
| dedup correlationId 
| eval JobName=case(like('message',"Concur Ondemand Started") OR like('message',"API: START: /v1/fin_Concur%") AND like('tracePoint',"EXCEPTION"),"EXPENSE JOB",like('message',"%(ERROR): concur  import failed for file%"),"ACCURAL JOB") 
| stats count by JobName

But i am getting only EXPENSE JOB JobName.But when i split into two query both JobName having result .

ITWhisperer · ‎03-28-2024

There doesn't appear to be anything wrong with case statement on its own. However, there are other statements which might affect your result, e.g. dedup. Please can you share some events demonstrating your issue?

Multiple case statement is not working?

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Multiple case statement is not working?

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk