Splunk Search
Highlighted

Eval expression field not working in data model.

Path Finder

Here is my attempt to create a new field eval in datamodels (no results):
alt text

Here is the same data, just not using the datamodel:
alt text

0 Karma
Highlighted

Re: Eval expression field not working in data model.

SplunkTrust
SplunkTrust

If you change the datamodel field to case(action=="Failed Log In", "Failure", action=="Log In", "Success", 1==1, action) what do you get?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Eval expression field not working in data model.

Path Finder

an error message:
Error in 'eval' command: The arguments to the 'case' function are invalid.

0 Karma
Highlighted

Re: Eval expression field not working in data model.

SplunkTrust
SplunkTrust

oops. I corrected my answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Eval expression field not working in data model.

Path Finder

while this did get me closer, in that it provided both the Success & Failure, it unfortunately gave all the other actions too, which is exactly what I'm attempting to avoid.

Values  Count   %
Decrypt 143864  82.951
Encrypt 27243   15.708
VPN Routing 2082    1.200
Key Install 186 0.107
Drop    23  0.013
Reject  18  0.010
Success 12  0.007
Log Out 3   0.002
Allow   1   0.001

Any idea why putting essentially a true clause at the end makes the Success & Failure case work? Any way to get this to work without obtaining all the other action results?

0 Karma
Highlighted

Re: Eval expression field not working in data model.

SplunkTrust
SplunkTrust

The idea behind the default clause is to determine if the other expressions are working. Your results make me think they are not since everything appears to falling into the last category. A better way to verify this is with case(action=="Failed Log In", "Failure", action=="Log In", "Success", 1==1, "unknown - " . action).

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Eval expression field not working in data model.

Path Finder

It did create the "Success" & "Failure".

If I run your new query, this is the results:
Values Count %
unknown - Decrypt 118137 79.418
unknown - Encrypt 28543 19.188
unknown - VPN Routing 1859 1.250
unknown - Key Install 80 0.054
unknown - Reject 74 0.050
unknown - Drop 31 0.021
Success 24 0.016
unknown - Log Out 6 0.004

(I searched separately and there weren't any failed log ins during this time period)

0 Karma
Highlighted

Re: Eval expression field not working in data model.

SplunkTrust
SplunkTrust

So it appears as though your original SPL should have worked. I can't explain why you get results with a default clause and not without it.

---
If this reply helps you, an upvote would be appreciated.