Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can you help me write an eval case function search?

rgarbac1
New Member
‎08-11-2017 06:52 AM

I am looking for help with a case statement that looks for a field full load with a value of "running CDC only in fresh start mode, starting from log position: 'timestamp:", and if full load doesn't find that then other is used.

index=sse_gdia_local_idx "starting from log" |eval fullload = case("running CDC only in fresh start mode, starting from log position: 'timestamp:",
trim(replace(fullload, "running CDC only in fresh start mode, starting from log position: 'timestamp:","")) and

trim(replace(fullload, "T", " ")) and trim(replace(fullload, "'", " ")) and |eval c_time2=strptime(fullload,"%Y-%m-%d %H:%M:%S")
-14400 and c_time2 = strftime(c_time2,"%Y-%m-%d %H:%M:%S"),
other|convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS c_time2) |fields fullload, c_time2

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎08-11-2017 05:23 PM

Hi @rgarbac1,
Here's some info from the Splunk docs: http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/ConditionalFunctions
case(X,"Y",...)
Description:This function takes pairs of arguments X and Y. The X arguments are Boolean expressions that are evaluated from first to last. When the first X expression is encountered that evaluates to TRUE, the corresponding Y argument is returned. The function defaults to NULL if none are true.
Usage: You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.
Basic examples
The following example returns descriptions for the corresponding http status code.

... | eval description=case(error ==404, "Not found", error == 500,
"Internal Server Error", error == 200, "OK")

From a cursory glance and without being a Splunk expert (I'm a community post moderator), it does look like the syntax is off where X should be without quotes and y should have quotes: case(X,"Y",...)
Hope that helps! I added some tags for more expert visibility too. 🙂

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...