Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

case statement in URL search is not working

sahil237888
Path Finder
‎08-14-2020 05:34 AM

Hi,

I am facing some difficulty in achieving below. Can anyone help.
I am getting 0 in the columns only and no other data

index=dev_env sourcetype="urldata" URL ="*" LoadTime="*"
| eval url_name= case(URL like "https://www.pingtest.com/server/server.aspx%" , "ServerLogin",
URL like "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%","Servers",
URL like "https://www.pingtest.com/clients/User/Testdata.aspx%" ,"ServersPing"
URLlike "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%","MobilePing",URL like "https://www.pingtest.com/User/newuser.aspx?%","NewUserPing",1==1,0)
| timechart span=1m  eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name 

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-14-2020 06:05 AM

Hi

on manual it's said that you should use like as like(text, pattern). So could you change your query to:

index=dev_env sourcetype="urldata" URL ="*" LoadTime="*"
| eval url_name= case(like(URL, "https://www.pingtest.com/server/server.aspx%" ), "ServerLogin",
like(URL, "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%"),"Servers",
like(URL,"https://www.pingtest.com/clients/User/Testdata.aspx%") ,"ServersPing"
like(URL, "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%"),"MobilePing",
like(URL, "https://www.pingtest.com/User/newuser.aspx?%"),"NewUserPing",true(),0)
| timechart span=1m  eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name

r. Ismo 

0 Karma
Reply

niketn
Legend
‎08-14-2020 06:04 AM

As per your eval there is a syntax error. However, if the URL field matches the eval condition, then you should see output. Following is a run anywhere example based on your data which is giving output for me

| makeresults 
| eval URL="https://www.pingtest.com/server/server.aspx,https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new,https://www.pingtest.com/clients/User/Testdata.aspx,https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047,https://www.pingtest.com/User/newuser.aspx" 
| makemv URL delim="," 
| mvexpand URL 
| eval LoadTime=random()
| eval url_name= case(URL like "https://www.pingtest.com/server/server.aspx%" , "ServerLogin",
    URL like "https://www.servermonitor/clients/hostname/server.aspx?filetype_id=474&mode=new%","Servers",
    URL like "https://www.pingtest.com/clients/User/Testdata.aspx%" ,"ServersPing",
    URL like "https://www.pingtest.com/mobileusers/Logins/Login.aspx?testid=1578&actid=21047%","MobilePing",
    URL like "https://www.pingtest.com/User/newuser.aspx?%","NewUserPing",1==1,0) 
| timechart span=1m eval(round(avg(LoadTime),0)) as TimeUsedtoload by url_name cont=f
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...