Splunk Enterprise

case statement in URL search is not working

sahil237888
Path Finder

Hi,

I am facing some difficulty in achieving below. Can anyone help.
I am getting 0 in the columns only and no other data

index=dev_env sourcetype="urldata" URL ="*" LoadTime="*"
| eval url_name= case(URL like "https://www.pingtest.com/server/server.aspx%" , "ServerLogin",
URL like "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%","Servers",
URL like "https://www.pingtest.com/clients/User/Testdata.aspx%" ,"ServersPing"
URLlike "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%","MobilePing",URL like "https://www.pingtest.com/User/newuser.aspx?%","NewUserPing",1==1,0)
| timechart span=1m  eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name 

Labels (2)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

on manual it's said that you should use like as like(text, pattern). So could you change your query to:

index=dev_env sourcetype="urldata" URL ="*" LoadTime="*"
| eval url_name= case(like(URL, "https://www.pingtest.com/server/server.aspx%" ), "ServerLogin",
like(URL, "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%"),"Servers",
like(URL,"https://www.pingtest.com/clients/User/Testdata.aspx%") ,"ServersPing"
like(URL, "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%"),"MobilePing",
like(URL, "https://www.pingtest.com/User/newuser.aspx?%"),"NewUserPing",true(),0)
| timechart span=1m  eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name 

r. Ismo 

0 Karma

niketn
Legend

As per your eval there is a syntax error. However, if the URL field matches the eval condition, then you should see output. Following is a run anywhere example based on your data which is giving output for me

| makeresults 
| eval URL="https://www.pingtest.com/server/server.aspx,https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new,https://www.pingtest.com/clients/User/Testdata.aspx,https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047,https://www.pingtest.com/User/newuser.aspx" 
| makemv URL delim="," 
| mvexpand URL 
| eval LoadTime=random()
| eval url_name= case(URL like "https://www.pingtest.com/server/server.aspx%" , "ServerLogin",
    URL like "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%","Servers",
    URL like "https://www.pingtest.com/clients/User/Testdata.aspx%" ,"ServersPing",
    URL like "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%","MobilePing",
    URL like "https://www.pingtest.com/User/newuser.aspx?%","NewUserPing",1==1,0) 
| timechart span=1m eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name cont=f
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...