Splunk Search
Highlighted

Eval case capturing too much information

Explorer

Hi,

I was trying to use eval with a case. Now I want to separate 2 different log messages, SENDNOW and SENDON. When I try using the eval case it captures both SENDNOW AND SENDON and I dont know why. Here is part of my query

eval trans=case(match("*ONE_TIME_NOW*", tt), "Send Now", match("*ONE_TIME_ON*", tt) ,"Send on")

Now all the events with ONETIMENOW and ONETIMEON are both being recorded under Send Now. Can anyone help me so that I can separate these two? I need to use wildcards because there is more data connected to both ONETIMENOW and ONETIMEON strings.

Thanks!

0 Karma
Highlighted

Re: Eval case capturing too much information

Contributor

Hi jameskerivan,

I'm not quite sure what you're trying to do. Maybe attach some more data will help clarify.

The eval case expression looks okay. It will assign the values "Send Now" and "Send on" to the field trans, based on the matched contents of field tt. If you want to filter the log messages after the case statement then you could use a where or search command. For example:

...| eval trans=case(match("*ONE_TIME_NOW*", tt), "Send Now", match("*ONE_TIME_ON*", tt) ,"Send on") | where trans="Send Now"

If this is not what you mean then maybe provide some sample data and the expected result.

0 Karma
Highlighted

Re: Eval case capturing too much information

SplunkTrust
SplunkTrust

Hi, jameskerivan,

Try switching your arguments for match around. From the docs:

... | eval n=if(match(field, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), 1, 0)

You have

eval trans=case(match("*ONE_TIME_NOW*", tt), "Send Now", match("*ONE_TIME_ON*", tt) ,"Send on")

And I think you need

eval trans=case(match(tt,"*ONE_TIME_NOW*"), "Send Now", match(tt,"*ONE_TIME_ON*") ,"Send on")
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.