Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Eval Case Formula
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Struggling to complete an Eval Case syntax. I want to create a situation where I have a new field called provider based on certain criteria.
Provider:
XYZ (if D1_Code equals X and current team does not equal ABC or DEF)
ABC (if current team equals ABC) - wildcards needed as there are variants of ABC
DEF (if current team equals DEF) - wildcards needed as there are variants of DEF
Search string is | eval Provider=case(D1_Code="X" AND Current_Team!="ABC" AND Current_Team!="DEF", "XYZ", Current_Team="ABC", "ABC", Current_Team="DEF", "DEF")
The first part of the eval works on it's own but when I try and add criteria for ABC and DEF it will not work.
Provider=case(D1_Code="X" AND Current_Team!="ABC" AND Current_Team!="DEF")
Could anyone please advice? Not sure if case is the right thing to use here.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works for me: | makeresults | eval D1_Code="X", Current_Team="DEF" | eval Provider=case( (D1_Code="X" AND Current_Team!="ABC" AND Current_Team!="DEF"), "XYZ", Current_Team="ABC", "ABC", Current_Team="DEF", "DEF")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about you change the order, like this...
....| eval Provider=case(Current_Team="ABC", "ABC", Current_Team="DEF", "DEF",D1_Code="X", "XYZ")
Also, if you want to match with wildcards (you need to provide actual sample values for better suggestions), try this
....| eval Provider=case(match(Current_Team,"ABC"), "ABC", match(Current_Team,"DEF"), "DEF",D1_Code="X", "XYZ")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brilliant - this solved the issue!
Many thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
converted to answer, if it worked for you, please accept it and mark as answered
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
