Solved: Re: Eval Case Statement not working

lorellpascual · ‎11-01-2017

Not sure why the below is not working.

index=www_kinesis rtData.tag=pageviewTag | eval marketing_channel=case(rtData.referralUrl=="https://www.google.com/", "Natural Search", 1=1, "Direct Load") | table sessionId, marketing_channel, rtData.referralUrl

All I basically want is, if my rtData.referralUrl= https://www.google.com/ to output "Natural Search". For some reason I've done equals and I've tried even case match, and I'm still not returning "Natural Search", even though my referralUrl is clearly https://www.google.com/

somesoni2 · ‎11-01-2017

The field name you used in eval contains special characters (dot) so they need to be enclosed within single quotes (this is applicable for eval and where commands). Try this

index=www_kinesis rtData.tag=pageviewTag | eval marketing_channel=case('rtData.referralUrl'=="https://www.google.com/", "Natural Search", 1=1, "Direct Load") | table sessionId, marketing_channel, rtData.referralUrl

View solution in original post

somesoni2 · ‎11-01-2017

The field name you used in eval contains special characters (dot) so they need to be enclosed within single quotes (this is applicable for eval and where commands). Try this

index=www_kinesis rtData.tag=pageviewTag | eval marketing_channel=case('rtData.referralUrl'=="https://www.google.com/", "Natural Search", 1=1, "Direct Load") | table sessionId, marketing_channel, rtData.referralUrl

Eval Case Statement not working

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

Eval Case Statement not working

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!