Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Case Statement Issue

Bbyers3
New Member
‎01-23-2020 12:01 PM

I'm Having issues with my case statement.

index=sti_123 source=rss_servers active = "1" status = "Being Commissioned"

| eval Timenow=now()
| eval days_since_provisioned = Timenow - date_provisioned
| eval bucket = case(days_since_provisioned <=179, "Less Than 180", days_since_provisioned <= 210, "180-210", days_sinced_provisioned >= 210, "Greater Than 210")
| chart count by bucket

I believe it is the bucket case statement that is the issue, because I remove the "By bucket" and it gives me the correct total, but I just need to be able to say X server has been in this stage for A B or C length

Tags (2)
0 Karma
Reply

13tsavage
Communicator
‎01-23-2020 12:40 PM

Try this:

| eval Timenow=now()
| convert timeformat="%Y/%m/%d" mktime(_time) as date_provisioned
| eval days_since_provisioned=Timenow-floor(date_provisioned)
| eval bucket=case(days_since_provisioned<=179, "Less Than 180", days_since_provisioned<=210, "180-210", days_sinced_provisioned>=210, "Greater Than 210")
| chart count by bucket

I do not think you had your date_provisioned field is configured in your last search so that screwed up your days_since_provisioned eval.

I created a date_provisioned field using the convert timeformat=... mktime(_time) as date_provisioned. Then added in the rest of your search with some minor tweaks.

Hope this helps!

0 Karma
Reply

jimodonald
Contributor
‎01-23-2020 12:16 PM

"bucket" is a search command and could be skewing your results. try renaming your "bucket" to "mybucket" and see if that helps.

0 Karma
Reply

jpolvino
Builder
‎01-23-2020 12:29 PM

This, and also please check your case statement because you have one field named days_sinced_provisioned in there.

A best practice here is to have a pair at the end:
1==1,"Other"

This will help you identify cases where you have a logic hole, or maybe events that don't have a time value, and therefore won't participate in your counts.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...