Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can AND or OR be used in case statements in eval expressions?

joegrossman
Explorer
‎05-08-2012 01:51 PM

Right now I have a search that contains c(eval(status<=400)) AS SUCCESS c(eval(status>400)) AS FAILURE.
This works, producing a chart of failures and sucesses. But now I want to change it so it has a WARNING category. This would include only status=404. But to do this I would have to change the FAILURE category to something like, status>400 AND status !=404. But the case statement does not seem to allow this.
Can anyone help me with this?

Tags (2)
Reply

dvl077
Explorer
‎02-06-2013 08:03 AM

I confirm, the boolean expression in case() works. My problem was the following:

To gather one of the needed values to decide on i did the following:


| eval no-value-supplied = if(isnull(mkfind(msisdn, "no-value-supplied")), 1, 0)

Note that the introduced variable and the constant string in the mkfind are identical.

Interesting is:

if you output the variable, e.g. via "table no-value-supplied" the value binding is correct (1 or 0 in this case).

Using no-value-supplied in a boolean statement inside of case


| eval new_var = case(no-value-supplied == 1 AND ....)

never yields true.

Is this a bug, or did i miss something in the documentation?

Renaming the variable fixed the issue.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎02-06-2013 08:29 AM

My experience is that dashes can sometimes be confused for subtract. As a point of habit, I separate words in my field names with underscore.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎02-05-2013 01:39 PM

I can get it to work with the following search

sourcetype=access_combined status=404 OR status=200 
| dedup 3 status 
| eval tt=if(time_taken<500, "1", "0") 
| eval var1 = case(status==200 AND tt=1, "A", status==404 AND tt==0, "B", 1>0, "C") 
| table status tt var1

For sake of clarity/completeness, I've included the complete search I used. The first three lines are just for getting event data (based off access_combined) to work on, so they don't have any real purpose besides that.

The results table looks like;

status  tt  var1
404     1   C
200     1   A
404     0   B
200     0   C

Hope this helps,

Kristian

Reply

dvl077
Explorer
‎02-05-2013 08:07 AM

The question was not answered (which seems to be the normal):

So, is:


eval var1 = case(A==0 AND B==1, "ZeroOne",
A==1 AND B==0, "OneZero",
1==1, "Neither")

Supposed to be a valid construct?

In my case i can't get it to work. It's either the default branch (1==1) or NULL.

Any hints?

Dirk

Reply

dvl077
Explorer
‎02-06-2013 08:33 AM

It was just a observation, no critique of the participants was implied.

0 Karma
Reply

landen99
Motivator
‎01-05-2016 05:53 AM

like truth, observations are not always productive or good. also, paid-support can be quite slow and unhelpful as well, in far too many cases.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-06-2013 08:22 AM

While I can totally appreciate frustration, please remember that most splunk-base participants do not work for Splunk and are answering people's questions on a completely volunteer basis. I don't think your "which seems to be normal" comment is fair to those who do spend a lot of time trying to offer free help on here. Splunk has paid support options available to you if the community is not able to help you solve your problems.

Reply

kristian_kolb
Ultra Champion
‎05-09-2012 09:09 AM

Or you can do it through rangemap... 

... |  rangemap field=status SUCCESS=0-399 WARNING=404-404 default=FAILURE

Then you have the information in the newly created field 'range'.

Hope this helps,

Kristian

Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-08-2012 06:49 PM

Another approach might be to use a lookup table that has all the various HTTP response codes and the resulting status you wish them to have. You'd have to enumerate them and specify a value for each, but it is workable.

Reply

Ayn
Legend
‎05-08-2012 02:06 PM

Which case statement?

The eval statement supports this. All you have to do is something like this:

... | stats c(eval(status>400 AND status!=404)) AS FAILURE
Reply

Ayn
Legend
‎05-09-2012 10:39 AM

But it does! I just tried it myself.

0 Karma
Reply

joegrossman
Explorer
‎05-09-2012 08:30 AM

Ayn,
This does not work at least with timechart

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...