Splunk Search

Eval Case limit to number of cases?

fairje
Communicator

So, I am trying to simplify my Proxy Web Categories (it tends to have multiple categories listed on single sites, making what would be 100 unique categories over 10,000 categories in a 24 hour period, making it hard to do statistics on it). So I thought I would solve the issue by doing a case statement with priorities on the categories (the ones in the front will then take precedence over later values). In any case, the "Case" statement appears to have an upper limit that is somewhere greater than ~90 cases and less than 100 cases.

Does anyone have any additional details on this? There is nothing that I see in the docs limiting case. Has anyone ever tried doing that many case statements?

Full eval string below:

eval category=case(category like "%Incidental Nudity%", "Incidental Nudity", category like "%Nudity%", "Nudity", category like "%Pornography%", "Pornography", category like "%Provocative Attire%", "Provocative Attire", category like "%Sexual Materials%", "Sexual Materials", category like "%Malicious Downloads%", "Malicious Downloads", category like "%Malicious Sites%", "Malicious Sites", category like "%Browser Exploits%", "Browser Exploits", category like "%Spyware\/Adware\/Keyloggers%", "Spyware\/Adware\/Keyloggers", category like "%Phishing%", "Phishing", category like "%Spam URLs%", "Spam URLs", category like "%Parked Domain%", "Parked Domain", category like "%Software\/Hardware%", "Software\/Hardware", category like "%Shareware\/Freeware%", "Shareware\/Freeware", category like "%PUPs (potentially unwanted programs)%", "PUPs (potentially unwanted programs)", category like "%P2P\/File Sharing%", "P2P\/File Sharing", category like "%Potential Criminal Activities%", "Potential Criminal Activities", category like "%Potential Hacking\/Computer Crime%", "Potential Hacking\/Computer Crime", category like "%Potential Illegal Software%", "Potential Illegal Software", category like "%Entertainment%", "Entertainment", category like "%Gambling%", "Gambling", category like "%Gambling Related%", "Gambling Related", category like "%Game\/Cartoon Violence%", "Game\/Cartoon Violence", category like "%Games%", "Games", category like "%Personal Network Storage%", "Personal Network Storage", category like "%Business%", "Business", category like "%Government\/Military%", "Government\/Military", category like "%Media Sharing%", "Media Sharing", category like "%Professional Networking%", "Professional Networking", category like "%Search Engines%", "Search Engines", category like "%Social Networking%", "Social Networking", category like "%Streaming Media%", "Streaming Media", category like "%Web Ads%", "Web Ads", category like "%Web Mail%", "Web Mail", category like "%Web Meetings%", "Web Meetings", category like "%Web Phone%", "Web Phone", category like "%Media Downloads%", "Media Downloads", category like "%Instant Messaging%", "Instant Messaging", category like "%Messaging%", "Messaging", category like "%Chat%", "Chat", category like "%Remote Access%", "Remote Access", category like "%Finance\/Banking%", "Finance\/Banking", category like "%Alcohol%", "Alcohol", category like "%Anonymizers%", "Anonymizers", category like "%Anonymizing Utilities%", "Anonymizing Utilities", category like "%Art\/Culture\/Heritage%", "Art\/Culture\/Heritage", category like "%Auctions\/Classifieds%", "Auctions\/Classifieds", category like "%Blogs\/Wiki%", "Blogs\/Wiki", category like "%Consumer Protection%", "Consumer Protection", category like "%Controversial Opinions%", "Controversial Opinions", category like "%Dating\/Personals%", "Dating\/Personals", category like "%Digital Postcards%", "Digital Postcards", category like "%Discrimination%", "Discrimination", category like "%Drugs%", "Drugs", category like "%Education\/Reference%", "Education\/Reference", category like "%Fashion\/Beauty%", "Fashion\/Beauty", category like "%For Kids%", "For Kids", category like "%Forum\/Bulletin Boards%", "Forum\/Bulletin Boards", category like "%General News%", "General News", category like "%Gruesome Content%", "Gruesome Content", category like "%Health%", "Health", category like "%Historical Revisionism%", "Historical Revisionism", category like "%Humor\/Comics%", "Humor\/Comics", category like "%Information Security%", "Information Security", category like "%Interactive Web Applications%", "Interactive Web Applications", category like "%Internet Radio\/TV%", "Internet Radio\/TV", category like "%Job Search%", "Job Search", category like "%Major Global Religions%", "Major Global Religions", category like "%Marketing\/Merchandising%", "Marketing\/Merchandising", category like "%Mobile Phone%", "Mobile Phone", category like "%Moderated%", "Moderated", category like "%Motor Vehicles%", "Motor Vehicles", category like "%Non-Profit\/Advocacy\/NGO%", "Non-Profit\/Advocacy\/NGO", category like "%Online Shopping%", "Online Shopping", category like "%Personal Pages%", "Personal Pages", category like "%Pharmacy%", "Pharmacy", category like "%Politics\/Opinion%", "Politics\/Opinion", category like "%Portal Sites%", "Portal Sites", category like "%Profanity%", "Profanity", category like "%Public Information%", "Public Information", category like "%Real Estate%", "Real Estate", category like "%Recreation\/Hobbies%", "Recreation\/Hobbies", category like "%Religion\/Ideologies%", "Religion\/Ideologies", category like "%Residential IP Addresses%", "Residential IP Addresses", category like "%Restaurants%", "Restaurants", category like "%Sports%", "Sports", category like "%Stock Trading%", "Stock Trading", category like "%Technical Information%", "Technical Information", category like "%Technical\/Business Forums%", "Technical\/Business Forums", category like "%Text Translators%", "Text Translators", category like "%Text\/Spoken Only%", "Text\/Spoken Only", category like "%Tobacco%", "Tobacco", category like "%Travel%", "Travel", category like "%Violence%", "Violence", category like "%Visual Search Engine%", "Visual Search Engine", category like "%Weapons%", "Weapons", category like "%Internet Services%", "Internet Services", category like "%Extreme%", "Extreme", category like "%Content Server%", "Content Server", category like "%", category) | stats sum(bytes) AS total by category

string gives a non-descriptive "Server Error" on it. At first I thought I typed something wrong with the syntax, made it all the way down to "Tobacco" on my categories, and as soon as I added "Travel" is when it errors making the limit look to be at 93 (counting the final case for the catch all of category like "%"). If you remove 7 or more from the list somewhere in the middle it will also run fine, so it clearly looks to be some kind of boundary limit.

Thanks!

0 Karma

somesoni2
Revered Legend

YOu can have your shortened category list as a lookup and use the lookup to assign category. THe lookup can do a wildcard search in your category. See this for similar example.

https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

0 Karma

javiergn
Super Champion

Hi @somesoni2, I didn't notice your comment here when I wrote mine so I wasn't trying to steal the karma 🙂
For some reason I'm not getting any email notifications anymore from the answers site ... There's something definitely wrong today.

0 Karma

somesoni2
Revered Legend

Hey Javier, don't worry about it. It's a classic case of concurrency. I also, feel that sometime the notifications comes way late.

0 Karma

javiergn
Super Champion

Hi, if you can get those 10,000 categories in a csv file, would it not be easier to use a lookup and group your categories this way?
Also depending on the model and version of your proxy server there might be already Splunk apps available for you and some of them will definitely include dashboards to categorise web traffic, etc.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...