Splunk Enterprise

case statement in URL search is not working

sahil237888
Path Finder

Hi,

I am facing some difficulty in achieving below. Can anyone help.
I am getting 0 in the columns only and no other data

index=dev_env sourcetype="urldata" URL ="*" LoadTime="*"
| eval url_name= case(URL like "https://www.pingtest.com/server/server.aspx%" , "ServerLogin",
URL like "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%","Servers",
URL like "https://www.pingtest.com/clients/User/Testdata.aspx%" ,"ServersPing"
URLlike "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%","MobilePing",URL like "https://www.pingtest.com/User/newuser.aspx?%","NewUserPing",1==1,0)
| timechart span=1m  eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name 

Labels (2)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

on manual it's said that you should use like as like(text, pattern). So could you change your query to:

index=dev_env sourcetype="urldata" URL ="*" LoadTime="*"
| eval url_name= case(like(URL, "https://www.pingtest.com/server/server.aspx%" ), "ServerLogin",
like(URL, "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%"),"Servers",
like(URL,"https://www.pingtest.com/clients/User/Testdata.aspx%") ,"ServersPing"
like(URL, "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%"),"MobilePing",
like(URL, "https://www.pingtest.com/User/newuser.aspx?%"),"NewUserPing",true(),0)
| timechart span=1m  eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name 

r. Ismo 

0 Karma

As per your eval there is a syntax error. However, if the URL field matches the eval condition, then you should see output. Following is a run anywhere example based on your data which is giving output for me

| makeresults 
| eval URL="https://www.pingtest.com/server/server.aspx,https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new,https://www.pingtest.com/clients/User/Testdata.aspx,https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047,https://www.pingtest.com/User/newuser.aspx" 
| makemv URL delim="," 
| mvexpand URL 
| eval LoadTime=random()
| eval url_name= case(URL like "https://www.pingtest.com/server/server.aspx%" , "ServerLogin",
    URL like "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%","Servers",
    URL like "https://www.pingtest.com/clients/User/Testdata.aspx%" ,"ServersPing",
    URL like "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%","MobilePing",
    URL like "https://www.pingtest.com/User/newuser.aspx?%","NewUserPing",1==1,0) 
| timechart span=1m eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name cont=f
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...