Hi,
I was trying to construct an eval case statement using default _raw field and observed strange results. Here is my search:
base search
| eval status=case(_raw LIKE "%login to mobile app%" AND match(_raw ,"userID:A*"),"A users login",
_raw LIKE "%login to mobile app%" AND match(_raw ,"userID:B*"),"B users login",
_raw LIKE "%login to mobile app%" AND match(_raw ,"userID:C*"),"C users login",
0==0,"others" )
| chart count by date_month,status
Each time I run my search with above syntax, Splunk gives me different count. Results are skewed completely.
If I add | eval raw=_raw
and use "raw" field in the case statement, it gives correct results, no matter how many times I run it.
So is there any limitation for using default _raw field in a case statement?
NOTE : I can achieve desired results in more simple way, but my question is specific to above syntax.
looks like I found the answer for my issue. As I suspected its not the issue with _raw field rather It is verbose search mode. When I use smart mode results are consistent but not with verbose mode. And strangely results are not matching with different search mode. ie, verbose and smart mode results are not matching.
I have asked Splunk support about strange behavior of search modes, they are investigating. This Seems to be bug as per [https://answers.splunk.com/answers/343834/why-am-i-getting-three-different-results-running-a.html] but splunk haven't confirmed me yet.
I am using 6.3.2.
I will keep posted once I hear from Splunk support.
Since I got an answer to my original question. I am marking this as answered.
looks like I found the answer for my issue. As I suspected its not the issue with _raw field rather It is verbose search mode. When I use smart mode results are consistent but not with verbose mode. And strangely results are not matching with different search mode. ie, verbose and smart mode results are not matching.
I have asked Splunk support about strange behavior of search modes, they are investigating. This Seems to be bug as per [https://answers.splunk.com/answers/343834/why-am-i-getting-three-different-results-running-a.html] but splunk haven't confirmed me yet.
I am using 6.3.2.
I will keep posted once I hear from Splunk support.
Since I got an answer to my original question. I am marking this as answered.
This probably doesn't matter for your main question, but still: Keep in mind that match()
treats the second argument as a regular expression, so match(field, "userID=B*")
would match if field
contained "userID="
, "userID=B"
, "userID=BB"
, and so on. Additionally, you switch between userID=
and userID:
and you include B*
twice.
Another recommendation, don't rely on date_month
. Instead, use bin span=1mon _time | chart count by _time, status
. Depending on how your timestamp was extracted, date_foo
fields aren't always present.
More on topic, to narrow down the problem you should simplify your case()
statement. Is it the LIKE
? Is it the match()
? Does the issue only appear when both are used?
sorry it was typo, there is no "userID=" and B* is only once. see query now.
yes I am aware that match treats as regex.this is not my exact query I tried to clone my problem with simple syntax here. thanks for your recommendation.
based on my observation I don't think issue is with LIKE or match() or both because like I said results are not varying when I assign _raw to any field and use that in case statement. seems like issue is only when I use _raw. hence I wanted to know if anyone have faced similar issue while using _raw field.