Solved: Re: Help with eval case match

maxouhunterfc · ‎01-17-2023

event is json:

{message:AZK} x 10

{message:BCK} x 5

{message:C} x 3

What Im trying to get is a table to count message by values with a modified text

Message AZK - 10

Message BCK - 5

C - 3

I use this:

| eval extended_message= case(
match(_raw,"AZK"),"Message AZK",
match(_raw,"BCK"),"Message BCK",
1=1, message)
| stats count as nombre by extended_message
| sort nombre desc
| table extended_message, nombre

I can't not get the "C" in the list to be counted

the message from the JSON event is not interpreted (i don't know)

Thanks for your help

kamlesh_vaghela · ‎01-17-2023

@maxouhunterfc

I think you have to extract message value from raw. Bcoz it looks _raw is not a valid json.

Can you please try this?

 
| rex field=_raw "message:(?<message>.*)}" 
| eval extended_message= case(
    match(_raw,"AZK"),"Message AZK",
    match(_raw,"BCK"),"Message BCK",
    1=1, message) 
| stats count as nombre by extended_message 
| sort nombre desc 
| table extended_message, nombre

My Sample Search :

| makeresults 
| eval raw="{message:AZK} x 10|{message:BCK} x 5|{message:C} x 3", raw=split(raw,"|") 
| mvexpand raw 
| rename raw as _raw 
|rename comment as "upto this is sample data" 
| rex field=_raw "message:(?<message>.*)}" 
| eval extended_message= case(
    match(_raw,"AZK"),"Message AZK",
    match(_raw,"BCK"),"Message BCK",
    1=1, message) 
| stats count as nombre by extended_message 
| sort nombre desc 
| table extended_message, nombre

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

maxouhunterfc · ‎01-17-2023

I needed to use indeed a rex

kamlesh_vaghela · ‎01-17-2023

@maxouhunterfc

I think you have to extract message value from raw. Bcoz it looks _raw is not a valid json.

Can you please try this?

 
| rex field=_raw "message:(?<message>.*)}" 
| eval extended_message= case(
    match(_raw,"AZK"),"Message AZK",
    match(_raw,"BCK"),"Message BCK",
    1=1, message) 
| stats count as nombre by extended_message 
| sort nombre desc 
| table extended_message, nombre

My Sample Search :

| makeresults 
| eval raw="{message:AZK} x 10|{message:BCK} x 5|{message:C} x 3", raw=split(raw,"|") 
| mvexpand raw 
| rename raw as _raw 
|rename comment as "upto this is sample data" 
| rex field=_raw "message:(?<message>.*)}" 
| eval extended_message= case(
    match(_raw,"AZK"),"Message AZK",
    match(_raw,"BCK"),"Message BCK",
    1=1, message) 
| stats count as nombre by extended_message 
| sort nombre desc 
| table extended_message, nombre

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

How to achieve eval case match?

splunk-assist

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation