Splunk Search

Can we perform search on a value that is returned from a CASE function

gurkiratsingh
Explorer

Hi can I perform a search on a value that is returned from a CASE function in the same search.

eval filter=case(
( (IST_time_hour=23 AND IST_time_min>=00) OR (IST_time_hour=00 AND IST_time_min<30) ),"1"
,( (IST_time_hour=00 AND IST_time_min>=30) OR (IST_time_hour=01 AND IST_time_min<59) ),"2"
,( (IST_time_hour=02 AND IST_time_min>=00) OR (IST_time_hour=03 AND IST_time_min<30) ),"3"
,( (IST_time_hour=03 AND IST_time_min>=30) OR (IST_time_hour=04 AND IST_time_min<59) ),"4"
,( (IST_time_hour=05 AND IST_time_min>=00) OR (IST_time_hour=06 AND IST_time_min<30) ),"5"
,( (IST_time_hour=06 AND IST_time_min>=30) OR (IST_time_hour=07 AND IST_time_min<59) ),"6"
,( (IST_time_hour=08 AND IST_time_min>=00) OR (IST_time_hour=09 AND IST_time_min<30) ),"7"
,( (IST_time_hour=09 AND IST_time_min>=30) OR (IST_time_hour=10 AND IST_time_min<59) ),"8"
,( (IST_time_hour=11 AND IST_time_min>=00) OR (IST_time_hour=12 AND IST_time_min<30) ),"9"
,( (IST_time_hour=12 AND IST_time_min>=30) OR (IST_time_hour=13 AND IST_time_min<59) ),"10"
,( (IST_time_hour=14 AND IST_time_min>=00) OR (IST_time_hour=15 AND IST_time_min<30) ),"11"
,( (IST_time_hour=15 AND IST_time_min>=30) OR (IST_time_hour=16 AND IST_time_min<59) ),"12"
,( (IST_time_hour=17 AND IST_time_min>=00) OR (IST_time_hour=18 AND IST_time_min<30) ),"13"
,( (IST_time_hour=18 AND IST_time_min>=30) OR (IST_time_hour=19 AND IST_time_min<59) ),"14"
,( (IST_time_hour=20 AND IST_time_min>=00) OR (IST_time_hour=21 AND IST_time_min<30) ),"15"
,( (IST_time_hour=21 AND IST_time_min>=30) OR (IST_time_hour=22 AND IST_time_min<59) ),"15"
)
|search abc=filter

Please help guys as to how to proceed in a situation like this. If this is not possible whether is it possible to store the filter value in a token which can be used in another search simultaneously.

0 Karma

woodcock
Esteemed Legend

Just add this after that:

... | where abc=filter

You CANNOT use search to compare to fields.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, that is allowed. If you don't get the desired results, try | search abc='filter'.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

gurkiratsingh
Explorer

Hi even on doing the above mentioned still I am not getting any result. The case function is working perfectly fine. For example when I am doing (|search abc=7) I am getting the results but when I use it through the case function (|search abc='filter') then I am not getting any results. The value of filter is getting extracted correctly.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!