Splunk Search

Eval expression field not working in data model.

wgawhh5hbnht
Communicator

Here is my attempt to create a new field eval in datamodels (no results):
alt text

Here is the same data, just not using the datamodel:
alt text

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you change the datamodel field to case(action=="Failed Log In", "Failure", action=="Log In", "Success", 1==1, action) what do you get?

---
If this reply helps you, Karma would be appreciated.
0 Karma

wgawhh5hbnht
Communicator

an error message:
Error in 'eval' command: The arguments to the 'case' function are invalid.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

oops. I corrected my answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

wgawhh5hbnht
Communicator

while this did get me closer, in that it provided both the Success & Failure, it unfortunately gave all the other actions too, which is exactly what I'm attempting to avoid.

Values  Count   %
Decrypt 143864  82.951
Encrypt 27243   15.708
VPN Routing 2082    1.200
Key Install 186 0.107
Drop    23  0.013
Reject  18  0.010
Success 12  0.007
Log Out 3   0.002
Allow   1   0.001

Any idea why putting essentially a true clause at the end makes the Success & Failure case work? Any way to get this to work without obtaining all the other action results?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The idea behind the default clause is to determine if the other expressions are working. Your results make me think they are not since everything appears to falling into the last category. A better way to verify this is with case(action=="Failed Log In", "Failure", action=="Log In", "Success", 1==1, "unknown - " . action).

---
If this reply helps you, Karma would be appreciated.
0 Karma

wgawhh5hbnht
Communicator

It did create the "Success" & "Failure".

If I run your new query, this is the results:
Values Count %
unknown - Decrypt 118137 79.418
unknown - Encrypt 28543 19.188
unknown - VPN Routing 1859 1.250
unknown - Key Install 80 0.054
unknown - Reject 74 0.050
unknown - Drop 31 0.021
Success 24 0.016
unknown - Log Out 6 0.004

(I searched separately and there weren't any failed log ins during this time period)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So it appears as though your original SPL should have worked. I can't explain why you get results with a default clause and not without it.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...