Re: Eval case capturing too much information

jameskerivan · ‎10-12-2015

Hi,

I was trying to use eval with a case. Now I want to separate 2 different log messages, SEND_NOW and SEND_ON. When I try using the eval case it captures both SEND_NOW AND SEND_ON and I dont know why. Here is part of my query

eval trans=case(match("*ONE_TIME_NOW*", tt), "Send Now", match("*ONE_TIME_ON*", tt) ,"Send on")

Now all the events with ONE_TIME_NOW and ONE_TIME_ON are both being recorded under Send Now. Can anyone help me so that I can separate these two? I need to use wildcards because there is more data connected to both ONE_TIME_NOW and ONE_TIME_ON strings.

Thanks!

Richfez · ‎10-12-2015

Hi, jameskerivan,

Try switching your arguments for match around. From the docs:

... | eval n=if(match(field, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), 1, 0)

You have

eval trans=case(match("*ONE_TIME_NOW*", tt), "Send Now", match("*ONE_TIME_ON*", tt) ,"Send on")

And I think you need

eval trans=case(match(tt,"*ONE_TIME_NOW*"), "Send Now", match(tt,"*ONE_TIME_ON*") ,"Send on")

gcato · ‎10-12-2015

Hi jameskerivan,

I'm not quite sure what you're trying to do. Maybe attach some more data will help clarify.

The eval case expression looks okay. It will assign the values "Send Now" and "Send on" to the field trans, based on the matched contents of field tt. If you want to filter the log messages after the case statement then you could use a where or search command. For example:

...| eval trans=case(match("*ONE_TIME_NOW*", tt), "Send Now", match("*ONE_TIME_ON*", tt) ,"Send on") | where trans="Send Now"

If this is not what you mean then maybe provide some sample data and the expected result.

Eval case capturing too much information

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms