Splunk Enterprise

case statement in URL search is not working

sahil237888
Path Finder

Hi,

I am facing some difficulty in achieving below. Can anyone help.
I am getting 0 in the columns only and no other data

index=dev_env sourcetype="urldata" URL ="*" LoadTime="*"
| eval url_name= case(URL like "https://www.pingtest.com/server/server.aspx%" , "ServerLogin",
URL like "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%","Servers",
URL like "https://www.pingtest.com/clients/User/Testdata.aspx%" ,"ServersPing"
URLlike "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%","MobilePing",URL like "https://www.pingtest.com/User/newuser.aspx?%","NewUserPing",1==1,0)
| timechart span=1m  eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name 

Labels (2)
0 Karma

soutamo
SplunkTrust
SplunkTrust

Hi

on manual it's said that you should use like as like(text, pattern). So could you change your query to:

index=dev_env sourcetype="urldata" URL ="*" LoadTime="*"
| eval url_name= case(like(URL, "https://www.pingtest.com/server/server.aspx%" ), "ServerLogin",
like(URL, "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%"),"Servers",
like(URL,"https://www.pingtest.com/clients/User/Testdata.aspx%") ,"ServersPing"
like(URL, "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%"),"MobilePing",
like(URL, "https://www.pingtest.com/User/newuser.aspx?%"),"NewUserPing",true(),0)
| timechart span=1m  eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name 

r. Ismo 

0 Karma

niketnilay
Legend

As per your eval there is a syntax error. However, if the URL field matches the eval condition, then you should see output. Following is a run anywhere example based on your data which is giving output for me

| makeresults 
| eval URL="https://www.pingtest.com/server/server.aspx,https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new,https://www.pingtest.com/clients/User/Testdata.aspx,https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047,https://www.pingtest.com/User/newuser.aspx" 
| makemv URL delim="," 
| mvexpand URL 
| eval LoadTime=random()
| eval url_name= case(URL like "https://www.pingtest.com/server/server.aspx%" , "ServerLogin",
    URL like "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%","Servers",
    URL like "https://www.pingtest.com/clients/User/Testdata.aspx%" ,"ServersPing",
    URL like "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%","MobilePing",
    URL like "https://www.pingtest.com/User/newuser.aspx?%","NewUserPing",1==1,0) 
| timechart span=1m eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name cont=f
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!