Splunk Search

Help in using CASE Statement

Noob_splunker
Explorer

Hi there,

I want to group the filter into Full Outage or Partial Outage.

filter impact

3G Outage

Full Outage

Cell Blocked

Power Outage

Power OutagePartial Outage

Cell Blocked

 

Here is my query:

| eval impact=case(
searchmatch("Cell Blocked"),"Partial Outage",
searchmatch("3G Outage"),"Full Outage",1=1,"No service impact")

 

Result:

 

result.PNG

 

The correct impact should be Full Outage. Can anyone help me out?

 

Thanks,

Labels (1)
Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion

 

| makeresults
| eval filter=split("3G Outage,Cell Blocked,Power Outage",",")
| rename COMMENT as "this is sample"
| rename COMMENT as "the logic"
| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

 

filter is multivalue ,searchmatch() works only _raw and case() works in order.
How about this?

View solution in original post

to4kawa
Ultra Champion

 

| makeresults
| eval filter=split("3G Outage,Cell Blocked,Power Outage",",")
| rename COMMENT as "this is sample"
| rename COMMENT as "the logic"
| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

 

filter is multivalue ,searchmatch() works only _raw and case() works in order.
How about this?

Noob_splunker
Explorer

@to4kawaawesome!

 

| eval impact=case(match(filter,"3G Outage"),"Full Outage",match(filter,"Cell Blocked"),"Partial Outage",1=1,"No service impact")

this works fine for me! Thanks!

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...