Case with multiple potential wildcard matches

aohls · ‎06-21-2021

I have a field with error messages that I need a case statement to cleanup for reporting. In this case some of the messages contain ID's which make the report long as each error has a unique ID. I want to lean this up by using something like

eval error=case(like(error, "%DB Error"), "Database error", like(error, "%network Error", "Network Error"))... Etc.

I am not getting the matches that I should be getting with this though, still the full errors are showing. Is there a better way to accomplish this?

ITWhisperer · ‎06-21-2021

You could try using match something like this

eval error=case(match(error, "DB Error"), "Database error", match(error, "network Error"), "Network Error")... Etc.

aohls · ‎06-22-2021

I should add that there are two fields I need to try to use. There is a error code and error description and the description has an id in it, so it could be "Database Error: 1234" and another is "Database Code: 3214". I want to combine these to just be "Database Error".

ITWhisperer · ‎06-22-2021

Since match uses regex, you can combine them so long as you can define a regex expression.

| makeresults 
| eval _raw="message Database Error: 1234
other message Database Code: 3214"
| multikv noheader=t
| eval error=case(match(_raw,"Database (Error|Code): \d+"),"Database Error",1==1,"Other Error")
| table _raw error

Case with multiple potential wildcard matches

eval

other

regex

rex

Happy CX Day, Splunk Community!

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas