Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me write an eval case function search?

rgarbac1
New Member
‎08-11-2017 06:52 AM

I am looking for help with a case statement that looks for a field full load with a value of "running CDC only in fresh start mode, starting from log position: 'timestamp:", and if full load doesn't find that then other is used.

index=sse_gdia_local_idx "starting from log" |eval fullload = case("running CDC only in fresh start mode, starting from log position: 'timestamp:",
trim(replace(fullload, "running CDC only in fresh start mode, starting from log position: 'timestamp:","")) and

trim(replace(fullload, "T", " ")) and trim(replace(fullload, "'", " ")) and |eval c_time2=strptime(fullload,"%Y-%m-%d %H:%M:%S")
-14400 and c_time2 = strftime(c_time2,"%Y-%m-%d %H:%M:%S"),
other|convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS c_time2) |fields fullload, c_time2

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎08-11-2017 05:23 PM

Hi @rgarbac1,
Here's some info from the Splunk docs: http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/ConditionalFunctions
case(X,"Y",...)
Description:This function takes pairs of arguments X and Y. The X arguments are Boolean expressions that are evaluated from first to last. When the first X expression is encountered that evaluates to TRUE, the corresponding Y argument is returned. The function defaults to NULL if none are true.
Usage: You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.
Basic examples
The following example returns descriptions for the corresponding http status code.

... | eval description=case(error ==404, "Not found", error == 500,
"Internal Server Error", error == 200, "OK")

From a cursory glance and without being a Splunk expert (I'm a community post moderator), it does look like the syntax is off where X should be without quotes and y should have quotes: case(X,"Y",...)
Hope that helps! I added some tags for more expert visibility too. 🙂

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top