Splunk Search

Eval expression field not working in data model.

wgawhh5hbnht
Communicator

Here is my attempt to create a new field eval in datamodels (no results):
alt text

Here is the same data, just not using the datamodel:
alt text

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you change the datamodel field to case(action=="Failed Log In", "Failure", action=="Log In", "Success", 1==1, action) what do you get?

---
If this reply helps you, Karma would be appreciated.
0 Karma

wgawhh5hbnht
Communicator

an error message:
Error in 'eval' command: The arguments to the 'case' function are invalid.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

oops. I corrected my answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

wgawhh5hbnht
Communicator

while this did get me closer, in that it provided both the Success & Failure, it unfortunately gave all the other actions too, which is exactly what I'm attempting to avoid.

Values  Count   %
Decrypt 143864  82.951
Encrypt 27243   15.708
VPN Routing 2082    1.200
Key Install 186 0.107
Drop    23  0.013
Reject  18  0.010
Success 12  0.007
Log Out 3   0.002
Allow   1   0.001

Any idea why putting essentially a true clause at the end makes the Success & Failure case work? Any way to get this to work without obtaining all the other action results?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The idea behind the default clause is to determine if the other expressions are working. Your results make me think they are not since everything appears to falling into the last category. A better way to verify this is with case(action=="Failed Log In", "Failure", action=="Log In", "Success", 1==1, "unknown - " . action).

---
If this reply helps you, Karma would be appreciated.
0 Karma

wgawhh5hbnht
Communicator

It did create the "Success" & "Failure".

If I run your new query, this is the results:
Values Count %
unknown - Decrypt 118137 79.418
unknown - Encrypt 28543 19.188
unknown - VPN Routing 1859 1.250
unknown - Key Install 80 0.054
unknown - Reject 74 0.050
unknown - Drop 31 0.021
Success 24 0.016
unknown - Log Out 6 0.004

(I searched separately and there weren't any failed log ins during this time period)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So it appears as though your original SPL should have worked. I can't explain why you get results with a default clause and not without it.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...