- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kausar
Path Finder
12-22-2016
03:43 PM
I have multiple queries for same index and therefore trying to avoid subsearches. Looking for right syntax, trying to do something like:
index=abc sourcetype=xyz | eval w=case("keyword1", "k1", "keyword2" OR "keyword3", "k23", "keyword3" AND "keyword4", "k34")
OR
index=abc sourcetype=xyz | eval w=case(_raw == "*keyword1*", "k1", _raw==("*keyword2*" OR "keyword3"), "k23", _raw=="*keyword3*" AND "*keyword4*", "k34")
Though, I can use multiple subsearches and append the results but it doesn't seem to be very efficient.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
12-22-2016
10:09 PM
Neither of your eval functions have the proper syntax. I expect that you want
index=abc sourcetype=xyz
| eval w=case( match(_raw,"keyword1"), "k1",
match(_raw,"keyword2") OR match(_raw,"keyword3"), "k23",
match(_raw,"keyword3") AND match(_raw,"keyword4"), "k34")
Here is the syntax for the match and case functions: Evaluation Functions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
12-22-2016
10:09 PM
Neither of your eval functions have the proper syntax. I expect that you want
index=abc sourcetype=xyz
| eval w=case( match(_raw,"keyword1"), "k1",
match(_raw,"keyword2") OR match(_raw,"keyword3"), "k23",
match(_raw,"keyword3") AND match(_raw,"keyword4"), "k34")
Here is the syntax for the match and case functions: Evaluation Functions
